| PHP mysql_excape but need to search for those items [message #178358] |
Mon, 11 June 2012 15:34  |
mrgushi
Messages: 3
Registered: June 2012
Karma: 0
|
Junior Member |
|
|
Hey Guys,
First time poster here. I'm working on an App that needs to be able to
querry my DB via PHP in particular those items such as periods commas
slashes and things that mysql_real_escape_string cleans out to prevent
SQL injection attacks. How would you recommend doing that securely? My
SQL login rights in the script are read only is that enough?
I was thinking of using JS to modify the querry before they hit the
mysql_real_escape_string such that I have a custom DB lookup for each
major punctuation... A period = punc1 A comma = punc2 etc.... Any
Alternate thoughts would be appreciated.
THX
PS- My app is a English Translation guide to Braille so I need to be
able to lookup punctuation in the DB somehow.
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178359 is a reply to message #178358] |
Mon, 11 June 2012 15:54  |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Am 11.06.2012 17:34, schrieb mrgushi:
> First time poster here. I'm working on an App that needs to be able to
> querry my DB via PHP in particular those items such as periods commas
> slashes and things that mysql_real_escape_string cleans out to prevent
> SQL injection attacks. How would you recommend doing that securely? My
> SQL login rights in the script are read only is that enough?
Consider using prepared statements - the query contains placeholders for
the parameters and all input from outside is used as parameters and is
never directly inserted into the statement.
> I was thinking of using JS to modify the querry before they hit the
> mysql_real_escape_string such that I have a custom DB lookup for each
> major punctuation... A period = punc1 A comma = punc2 etc.... Any
An attacker can just turn off JS or use tools like curl or wget to send
HTTP requests. So - always make sure, you server side code is secure and
does not rely on client side scripting.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178360 is a reply to message #178358] |
Mon, 11 June 2012 16:38 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/11/2012 11:34 AM, mrgushi wrote:
> Hey Guys,
> First time poster here. I'm working on an App that needs to be able to
> querry my DB via PHP in particular those items such as periods commas
> slashes and things that mysql_real_escape_string cleans out to prevent
> SQL injection attacks. How would you recommend doing that securely? My
> SQL login rights in the script are read only is that enough?
>
> I was thinking of using JS to modify the querry before they hit the
> mysql_real_escape_string such that I have a custom DB lookup for each
> major punctuation... A period = punc1 A comma = punc2 etc.... Any
> Alternate thoughts would be appreciated.
> THX
>
> PS- My app is a English Translation guide to Braille so I need to be
> able to lookup punctuation in the DB somehow.
No, it is not sufficient to make your SQL login rights read only. That
will prevent SQL injection from changing your database, but not
something like dumping the database.
You should use mysql_real_escape_string() in the WHERE clause, also. In
fact, you should use it any time you are dealing with character data in
the database - not only just INSERT or UPDATE operations.
You can use prepared statements also (some people prefer them), but that
is also additional work.
And NEVER depend on JS or anything else client-side!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178361 is a reply to message #178359] |
Mon, 11 June 2012 16:48 |
mrgushi
Messages: 3
Registered: June 2012
Karma: 0
|
Junior Member |
|
|
Interesting... Thx.
You have any samples codes to give me an idea of how something like
that would work. The JS issue is a fantastic point but not as
important as you might think. The WebApp will be embeded into a
PhoneGap Install and then locked to a HTTPS encrypted tunnel to the
PHP scripts up in the cloud.. Haven't figured out exactly how to lock
it except to use cookies with a https flag.
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178362 is a reply to message #178360] |
Mon, 11 June 2012 17:01 |
mrgushi
Messages: 3
Registered: June 2012
Karma: 0
|
Junior Member |
|
|
Jerry,
This is what I'm working with so far.
not sure if I've escaped everything I needed too.
$ENG = mysql_real_escape_string($ENG);
$result = mysql_query("SELECT * FROM br_test WHERE ENG LIKE '$ENG' ");
$row = mysql_fetch_array( $result );
The $ENG is the input from the search form..
The JS problem is valid but then again it will be in a locked down iOS
app using PhoneGAp. An I'll be using a HTTPs tunnel to the PHP
scripts.. use some sort of cookie with a SSL flag to lock it down. So
someone could JailBreak an iOS app and dig down in my settings and
figure out the JS but I don't think that likely but ur right I want to
take every precaution.
-dw
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178363 is a reply to message #178362] |
Mon, 11 June 2012 17:54 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/11/2012 1:01 PM, mrgushi wrote:
> Jerry,
> This is what I'm working with so far.
>
> not sure if I've escaped everything I needed too.
>
> $ENG = mysql_real_escape_string($ENG);
> $result = mysql_query("SELECT * FROM br_test WHERE ENG LIKE '$ENG' ");
> $row = mysql_fetch_array( $result );
>
> The $ENG is the input from the search form..
> The JS problem is valid but then again it will be in a locked down iOS
> app using PhoneGAp. An I'll be using a HTTPs tunnel to the PHP
> scripts.. use some sort of cookie with a SSL flag to lock it down. So
> someone could JailBreak an iOS app and dig down in my settings and
> figure out the JS but I don't think that likely but ur right I want to
> take every precaution.
>
> -dw
Yes, that will work very nicely (although it's not considered good form
to use SELECT * - rather select the individual columns. It will save
you heartache later).
There are more ways than just jailbreaking the IPhone. There is no
guarantee that the request even came from your app on an IPhone. The
request can easily be faked in any number of ways. And there's no
guaranteed way to "lock it down" and be sure, unless you don't make it
ever available via the internet.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178364 is a reply to message #178363] |
Mon, 11 June 2012 18:38 |
J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle wrote:
> On 6/11/2012 1:01 PM, mrgushi wrote:
>> Jerry,
>> This is what I'm working with so far.
>>
>> not sure if I've escaped everything I needed too.
>>
>> $ENG = mysql_real_escape_string($ENG);
>> $result = mysql_query("SELECT * FROM br_test WHERE ENG LIKE '$ENG' ");
>> $row = mysql_fetch_array( $result );
>>
>> The $ENG is the input from the search form..
>> The JS problem is valid but then again it will be in a locked down iOS
>> app using PhoneGAp. An I'll be using a HTTPs tunnel to the PHP
>> scripts.. use some sort of cookie with a SSL flag to lock it down. So
>> someone could JailBreak an iOS app and dig down in my settings and
>> figure out the JS but I don't think that likely but ur right I want to
>> take every precaution.
>>
> Yes, that will work very nicely (although it's not considered good form to use
> SELECT * - rather select the individual columns. It will save you heartache
> later).
>
> There are more ways than just jailbreaking the IPhone. There is no guarantee
> that the request even came from your app on an IPhone. The request can easily
> be faked in any number of ways. And there's no guaranteed way to "lock it
> down" and be sure, unless you don't make it ever available via the internet.
>
Don't forget man in the middle, using https will not protect against that.
--
//Aho
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178370 is a reply to message #178364] |
Mon, 11 June 2012 21:06 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/11/2012 2:38 PM, J.O. Aho wrote:
> Jerry Stuckle wrote:
>> On 6/11/2012 1:01 PM, mrgushi wrote:
>>> Jerry,
>>> This is what I'm working with so far.
>>>
>>> not sure if I've escaped everything I needed too.
>>>
>>> $ENG = mysql_real_escape_string($ENG);
>>> $result = mysql_query("SELECT * FROM br_test WHERE ENG LIKE '$ENG' ");
>>> $row = mysql_fetch_array( $result );
>>>
>>> The $ENG is the input from the search form..
>>> The JS problem is valid but then again it will be in a locked down iOS
>>> app using PhoneGAp. An I'll be using a HTTPs tunnel to the PHP
>>> scripts.. use some sort of cookie with a SSL flag to lock it down. So
>>> someone could JailBreak an iOS app and dig down in my settings and
>>> figure out the JS but I don't think that likely but ur right I want to
>>> take every precaution.
>>>
>> Yes, that will work very nicely (although it's not considered good
>> form to use
>> SELECT * - rather select the individual columns. It will save you
>> heartache
>> later).
>>
>> There are more ways than just jailbreaking the IPhone. There is no
>> guarantee
>> that the request even came from your app on an IPhone. The request can
>> easily
>> be faked in any number of ways. And there's no guaranteed way to "lock it
>> down" and be sure, unless you don't make it ever available via the
>> internet.
>>
>
> Don't forget man in the middle, using https will not protect against that.
>
Actually, it will. HTTPS transmissions are encrypted between the client
and the server using public/private key encryption. That's the whole
purpose of HTTPS.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178378 is a reply to message #178358] |
Tue, 12 June 2012 07:38 |
alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
El 11/06/2012 17:34, mrgushi escribió/wrote:
> First time poster here. I'm working on an App that needs to be able to
> querry my DB via PHP in particular those items such as periods commas
> slashes and things that mysql_real_escape_string cleans out to prevent
> SQL injection attacks. How would you recommend doing that securely? My
> SQL login rights in the script are read only is that enough?
>
> I was thinking of using JS to modify the querry before they hit the
> mysql_real_escape_string such that I have a custom DB lookup for each
> major punctuation... A period = punc1 A comma = punc2 etc.... Any
> Alternate thoughts would be appreciated.
> THX
>
> PS- My app is a English Translation guide to Braille so I need to be
> able to lookup punctuation in the DB somehow.
You seem to think that mysql_real_escape_string() strips out certain
characters. Nope, it doesn't. A database library that corrupts data by
design would be pretty unreliable!
Just run this query in your favourite MySQL client (get one if you don't
have any):
SELECT 'O\'Brian'
Does it print a backslash? Sure it doesn't. The backslash is just a SQL
syntax element, just like the single quotes (which aren't printed either).
Whatever, if I was to write an app from scratch I wouldn't stick to the
legacy MySQL extension. Needing to escape all parameters one by one is
pretty annoying. Try out a library that offers prepared statements, such
as MySQLi or PDO.
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178379 is a reply to message #178361] |
Tue, 12 June 2012 09:26 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
mrgushi, 11.06.2012 18:48:
> Interesting... Thx.
> You have any samples codes to give me an idea of how something like
> that would work. The JS issue is a fantastic point but not as
I assume you can use the mysqli extension and we have a table named
"lookuptable" where you want to get a result (id, data) for a specified
key, which was passed as GET parameter "key":
<?php
// Check, if GET parameter "key" is set
if(!isset($_GET['key']))
{
echo 'Parameter missing';
exit();
}
// Open database connection
$db = new mysqli('host', 'username', 'password', 'db');
// Handle connection error
if(mysqli_connect_errno())
{
echo 'Database connection failed: '.mysqli_connect_errno();
exit();
}
// Prepare SELECT statement with a placeholder (?) for the key
$stmt = $db->prepare('SELECT id, data FROM lookuptable WHERE key=?');
if($stmt)
{
// Bind key parameter as string
$stmt->bind_param('s', $_GET['key']);
// Execute the statement
$stmt->execute();
// Bind the result columns
$stmt->bind_result($id, $data);
// Fetch the first row from the table
if($stmt->fetch())
{
echo 'ID: '.$id.', data: '.$data;
}
// Close the statement
$stmt->close();
}
// Close the database connection
$db->close();
?>
For further information see:
<http://www.php.net/manual/en/book.mysqli.php>
Or as an alternative to mysqli you can also use PDO:
<http://de.php.net/manual/en/book.pdo.php>
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178380 is a reply to message #178362] |
Tue, 12 June 2012 09:32 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
mrgushi, 11.06.2012 19:01:
> Jerry,
> This is what I'm working with so far.
>
> not sure if I've escaped everything I needed too.
>
> $ENG = mysql_real_escape_string($ENG);
> $result = mysql_query("SELECT * FROM br_test WHERE ENG LIKE '$ENG' ");
> $row = mysql_fetch_array( $result );
>
> The $ENG is the input from the search form..
> The JS problem is valid but then again it will be in a locked down iOS
> app using PhoneGAp. An I'll be using a HTTPs tunnel to the PHP
> scripts.. use some sort of cookie with a SSL flag to lock it down. So
And this will prevent HTTP requests via SSL by an attacker from
somewhere? Why? Will the queries only be executed, if there is a "valid"
cookie? And why is the cookie "valid"? An attacker can not establish an
SSL connectio to your server? An attacker can not generate "valid"
cookies on his own and use them with curl/wget etc.?
Just to think about...
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178381 is a reply to message #178370] |
Tue, 12 June 2012 09:35 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle, 11.06.2012 23:06:
> On 6/11/2012 2:38 PM, J.O. Aho wrote:
[...]
>> Don't forget man in the middle, using https will not protect against
>> that.
>
> Actually, it will. HTTPS transmissions are encrypted between the client
> and the server using public/private key encryption. That's the whole
> purpose of HTTPS.
But only if the client *only* trusts the specific certificate. Otherwise
the man in the middle can just set up a proxy which also accepts SSL
connections and provides a valid certificate. There have been a number
of broken CAs in the past which allowed virtually anyone to create
signed and "trusted" certificates for any domain
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178382 is a reply to message #178381] |
Tue, 12 June 2012 12:00 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/12/2012 5:35 AM, Arno Welzel wrote:
> Jerry Stuckle, 11.06.2012 23:06:
>
>> On 6/11/2012 2:38 PM, J.O. Aho wrote:
> [...]
>>> Don't forget man in the middle, using https will not protect against
>>> that.
>>
>> Actually, it will. HTTPS transmissions are encrypted between the client
>> and the server using public/private key encryption. That's the whole
>> purpose of HTTPS.
>
> But only if the client *only* trusts the specific certificate. Otherwise
> the man in the middle can just set up a proxy which also accepts SSL
> connections and provides a valid certificate. There have been a number
> of broken CAs in the past which allowed virtually anyone to create
> signed and "trusted" certificates for any domain
>
>
Setting up a proxy would mean alternations to the domain name servers
data. Additionally, the certificate either would not match the domain
name or the certificate would not be signed by a recognized authority
(which is a good reason to use a trusted certificate).
I don't know of any broken CAs in the past, but there could have been.
However, the ones I use won't issue a certificate just to anyone.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178401 is a reply to message #178382] |
Thu, 14 June 2012 06:47 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle, 12.06.2012 14:00:
> On 6/12/2012 5:35 AM, Arno Welzel wrote:
>> Jerry Stuckle, 11.06.2012 23:06:
>>
>>> On 6/11/2012 2:38 PM, J.O. Aho wrote:
>> [...]
>>>> Don't forget man in the middle, using https will not protect against
>>>> that.
>>>
>>> Actually, it will. HTTPS transmissions are encrypted between the client
>>> and the server using public/private key encryption. That's the whole
>>> purpose of HTTPS.
>>
>> But only if the client *only* trusts the specific certificate. Otherwise
>> the man in the middle can just set up a proxy which also accepts SSL
>> connections and provides a valid certificate. There have been a number
>> of broken CAs in the past which allowed virtually anyone to create
>> signed and "trusted" certificates for any domain
>
> Setting up a proxy would mean alternations to the domain name servers
> data. Additionally, the certificate either would not match the domain
> name or the certificate would not be signed by a recognized authority
> (which is a good reason to use a trusted certificate).
Nameservers can be compromised - e.g. by cache poisoning.
> I don't know of any broken CAs in the past, but there could have been.
> However, the ones I use won't issue a certificate just to anyone.
And these are?
Just as a reminder: DigiNotar, Comodo, RSA - just to name a few who
already got compromised.
Also see:
< http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/>
< http://www.itscolumn.com/2011/09/certificate-authority-hacked-google-faced- mitm-attack/>
The whole model of trusting CAs and not single certificates (as in SSH)
must be considered broken.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178403 is a reply to message #178401] |
Thu, 14 June 2012 11:40 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/14/2012 2:47 AM, Arno Welzel wrote:
> Jerry Stuckle, 12.06.2012 14:00:
>
>> On 6/12/2012 5:35 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 11.06.2012 23:06:
>>>
>>>> On 6/11/2012 2:38 PM, J.O. Aho wrote:
>>> [...]
>>>> > Don't forget man in the middle, using https will not protect against
>>>> > that.
>>>>
>>>> Actually, it will. HTTPS transmissions are encrypted between the client
>>>> and the server using public/private key encryption. That's the whole
>>>> purpose of HTTPS.
>>>
>>> But only if the client *only* trusts the specific certificate. Otherwise
>>> the man in the middle can just set up a proxy which also accepts SSL
>>> connections and provides a valid certificate. There have been a number
>>> of broken CAs in the past which allowed virtually anyone to create
>>> signed and "trusted" certificates for any domain
>>
>> Setting up a proxy would mean alternations to the domain name servers
>> data. Additionally, the certificate either would not match the domain
>> name or the certificate would not be signed by a recognized authority
>> (which is a good reason to use a trusted certificate).
>
> Nameservers can be compromised - e.g. by cache poisoning.
>
And exactly how often has that occurred? And who has the tools to do it?
>> I don't know of any broken CAs in the past, but there could have been.
>> However, the ones I use won't issue a certificate just to anyone.
>
> And these are?
>
Thwate, for one. Verisign for another.
> Just as a reminder: DigiNotar, Comodo, RSA - just to name a few who
> already got compromised.
>
> Also see:
>
> < http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/>
>
> < http://www.itscolumn.com/2011/09/certificate-authority-hacked-google-faced- mitm-attack/>
>
> The whole model of trusting CAs and not single certificates (as in SSH)
> must be considered broken.
>
>
And you have a better solution?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178413 is a reply to message #178403] |
Fri, 15 June 2012 20:36 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle, 14.06.2012 13:40:
> On 6/14/2012 2:47 AM, Arno Welzel wrote:
>> Jerry Stuckle, 12.06.2012 14:00:
[...]
>>> Setting up a proxy would mean alternations to the domain name servers
>>> data. Additionally, the certificate either would not match the domain
>>> name or the certificate would not be signed by a recognized authority
>>> (which is a good reason to use a trusted certificate).
>>
>> Nameservers can be compromised - e.g. by cache poisoning.
>>
>
> And exactly how often has that occurred? And who has the tools to do it?
To read more about: <http://www.kb.cert.org/vuls/id/800113>
Just because you can not imagine that his happens in reality does not
mean that you can ignore the problem.
I must admit that this problem is well known now for about 4 years and
hopefully anyone who's responsible for a nameserver did solve this - but
i mentioned it to show that "security" is not just "i use SSL, this i
secure".
>>> I don't know of any broken CAs in the past, but there could have been.
>>> However, the ones I use won't issue a certificate just to anyone.
>>
>> And these are?
>>
>
> Thwate, for one. Verisign for another.
VeriSign is also on the list of the CAs which had at least one security
problem:
< http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z8 20120202>
Of course they will never tell you about any details and of course you
shall believe that everything is perfectly fine.
And not to forget:
< http://www.thetechherald.com/articles/DigiNotar-security-incident-goes-from -bad-to-worse>
"In total, 531 fraudulent certificates were issued during the DigiNotar
breach, including certificates for Google, Microsoft, MI6, the CIA, TOR,
Mossad, Skype, Twitter, Facebook, Thawte, VeriSign, and Comodo."
Do you still believe, the CA system is trustworthy?
>> Just as a reminder: DigiNotar, Comodo, RSA - just to name a few who
>> already got compromised.
>>
>> Also see:
>>
>> < http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/>
>>
>>
>> < http://www.itscolumn.com/2011/09/certificate-authority-hacked-google-faced- mitm-attack/>
>>
>>
>> The whole model of trusting CAs and not single certificates (as in SSH)
>> must be considered broken.
>
> And you have a better solution?
As i already said: Don't trust a CA, only trust (or don't trust) the
certificate. If it changes your browser will immediately tell you - even
if it was signed by a CA.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178417 is a reply to message #178413] |
Sat, 16 June 2012 01:07 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/15/2012 4:36 PM, Arno Welzel wrote:
> Jerry Stuckle, 14.06.2012 13:40:
>
>> On 6/14/2012 2:47 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 12.06.2012 14:00:
> [...]
>>>> Setting up a proxy would mean alternations to the domain name servers
>>>> data. Additionally, the certificate either would not match the domain
>>>> name or the certificate would not be signed by a recognized authority
>>>> (which is a good reason to use a trusted certificate).
>>>
>>> Nameservers can be compromised - e.g. by cache poisoning.
>>>
>>
>> And exactly how often has that occurred? And who has the tools to do it?
>
> To read more about:<http://www.kb.cert.org/vuls/id/800113>
>
> Just because you can not imagine that his happens in reality does not
> mean that you can ignore the problem.
>
Quite frankly, I don't believe everything I see on the web. Do you have
any proof this has actually occurred?
> I must admit that this problem is well known now for about 4 years and
> hopefully anyone who's responsible for a nameserver did solve this - but
> i mentioned it to show that "security" is not just "i use SSL, this i
> secure".
>
Again - do you have proof any of this has actually occurred?
>>>> I don't know of any broken CAs in the past, but there could have been.
>>>> However, the ones I use won't issue a certificate just to anyone.
>>>
>>> And these are?
>>>
>>
>> Thwate, for one. Verisign for another.
>
> VeriSign is also on the list of the CAs which had at least one security
> problem:
>
> < http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z8 20120202>
>
> Of course they will never tell you about any details and of course you
> shall believe that everything is perfectly fine.
>
> And not to forget:
>
> < http://www.thetechherald.com/articles/DigiNotar-security-incident-goes-from -bad-to-worse>
>
> "In total, 531 fraudulent certificates were issued during the DigiNotar
> breach, including certificates for Google, Microsoft, MI6, the CIA, TOR,
> Mossad, Skype, Twitter, Facebook, Thawte, VeriSign, and Comodo."
>
> Do you still believe, the CA system is trustworthy?
>
Again, I don't believe everything I see on the Internet. But I have
used both Thawte and Versign, and know what a company has to go through
to get a certificate.
Again, do you have any proof any of this has occurred? Or just a web
site which claims such?
>>> Just as a reminder: DigiNotar, Comodo, RSA - just to name a few who
>>> already got compromised.
>>>
>>> Also see:
>>>
>>> < http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/>
>>>
>>>
>>> < http://www.itscolumn.com/2011/09/certificate-authority-hacked-google-faced- mitm-attack/>
>>>
>>>
>>> The whole model of trusting CAs and not single certificates (as in SSH)
>>> must be considered broken.
>>
>> And you have a better solution?
>
> As i already said: Don't trust a CA, only trust (or don't trust) the
> certificate. If it changes your browser will immediately tell you - even
> if it was signed by a CA.
>
>
So, what is your solution? Just telling someone not to trust a CA is
not a solution.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178418 is a reply to message #178417] |
Sat, 16 June 2012 06:33 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle, 16.06.2012 03:07:
> On 6/15/2012 4:36 PM, Arno Welzel wrote:
>>
[...]
>> To read more about:<http://www.kb.cert.org/vuls/id/800113>
>>
>> Just because you can not imagine that his happens in reality does not
>> mean that you can ignore the problem.
>>
>
> Quite frankly, I don't believe everything I see on the web. Do you have
> any proof this has actually occurred?
A well documented security hole does not exist for you, as long as
nothing worse happens to you?
["Trustworthy" CAs]
>> VeriSign is also on the list of the CAs which had at least one security
>> problem:
>>
>> < http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z8 20120202>
[...]
>> < http://www.thetechherald.com/articles/DigiNotar-security-incident-goes-from -bad-to-worse>
[...]
> Again, I don't believe everything I see on the Internet. But I have
> used both Thawte and Versign, and know what a company has to go through
> to get a certificate.
I know as well what it takes to get a SSL certificate signed by
VeriSign. Not much... generally just money.
On what base do you trust VeriSign or Thawte?
[...]
>> As i already said: Don't trust a CA, only trust (or don't trust) the
>> certificate. If it changes your browser will immediately tell you - even
>> if it was signed by a CA.
>
> So, what is your solution? Just telling someone not to trust a CA is
> not a solution.
That *is* the solution, if the CA is not trustworthy.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178419 is a reply to message #178418] |
Sat, 16 June 2012 13:25 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/16/2012 2:33 AM, Arno Welzel wrote:
> Jerry Stuckle, 16.06.2012 03:07:
>
>> On 6/15/2012 4:36 PM, Arno Welzel wrote:
>>>
> [...]
>>> To read more about:<http://www.kb.cert.org/vuls/id/800113>
>>>
>>> Just because you can not imagine that his happens in reality does not
>>> mean that you can ignore the problem.
>>>
>>
>> Quite frankly, I don't believe everything I see on the web. Do you have
>> any proof this has actually occurred?
>
> A well documented security hole does not exist for you, as long as
> nothing worse happens to you?
>
Sure - but how "open" is this security hole? How easy is it to take
advantage of?
You can say the same thing about 256 bit encryption. It's not secure -
it can be hacked. However, it would take all the computers in the world
longer than the universe has existed to hack it.
Or every time I leave my house, there is the security risk that someone
will break in and take everything. So I guess I should never leave my
house.
The fact is, "security holes" exist all around us. Just because the
possibility exists does not mean it is a vulnerability to be concerned
about.
These holes require the hacker be able to execute a specific pattern of
steps, which can easily be detected and prevented, as the cert.org
article stated. This patter can easily be detected and prevented. And
all of these security holes have had patches available for 4 years. No,
I don't consider these security holes to be significant.
> ["Trustworthy" CAs]
>>> VeriSign is also on the list of the CAs which had at least one security
>>> problem:
>>>
>>> < http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z8 20120202>
> [...]
>>> < http://www.thetechherald.com/articles/DigiNotar-security-incident-goes-from -bad-to-worse>
> [...]
>> Again, I don't believe everything I see on the Internet. But I have
>> used both Thawte and Versign, and know what a company has to go through
>> to get a certificate.
>
> I know as well what it takes to get a SSL certificate signed by
> VeriSign. Not much... generally just money.
>
> On what base do you trust VeriSign or Thawte?
>
I trust them because I have several clients with their certificates.
And it takes a lot more than just money to get the first certificate.
Renewals aren't bad, because you already have proven who you are previously.
> [...]
>>> As i already said: Don't trust a CA, only trust (or don't trust) the
>>> certificate. If it changes your browser will immediately tell you - even
>>> if it was signed by a CA.
>>
>> So, what is your solution? Just telling someone not to trust a CA is
>> not a solution.
>
> That *is* the solution, if the CA is not trustworthy.
>
>
That is not a solution. But you don't have one. All you can do is piss
and moan.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178439 is a reply to message #178433] |
Mon, 18 June 2012 12:48 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/18/2012 3:39 AM, Arno Welzel wrote:
> Jerry Stuckle, 16.06.2012 15:25:
>
>>> Jerry Stuckle, 16.06.2012 03:07:
>>>
> [...]
>>>> So, what is your solution? Just telling someone not to trust a CA is
>>>> not a solution.
>>>
>>> That *is* the solution, if the CA is not trustworthy.
>>
>> That is not a solution. But you don't have one. All you can do is piss
>> and moan.
>
> EOD... you don't get it.
>
>
I get it. You don't have a solution, so you restate the problem,
calling it a solution.
Just telling someone not to trust a CA is not a solution.
And BTW - I see you never responded to my proof that Verisign is a good
authority. If they are so untrusted, you should have no problem getting
a certificate for something like bankofamerica.com. I'd love to see you
do that. Then you'll have proof that they can't be trusted.
Otherwise you're just full of hot air.
Oh, and I see you also ignored my pointing out that the DNS system you
say is so untrusted has never been hacked like you claim it could be -
and that the patches to fix this hole are 4 years old. If the DNS
system is as full of holes as you claim, why hasn't it been hacked?
No, you're just full of hot air.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178441 is a reply to message #178439] |
Mon, 18 June 2012 17:30 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle, 18.06.2012 14:48:
[...]
> No, you're just full of hot air.
JFTR:
| I'm sorry to have to inform you that your message could not
| be delivered to one or more recipients. It's attached below.
|
| For further assistance, please send mail to postmaster.
|
| If you do so, please include this problem report. You can
| delete your own text from the attached returned message.
|
| The mail system
|
| <jstucklex(at)attglobal(dot)net>: host mx1.prserv.net[12.154.55.40] said: 551
not our
| customer (in reply to RCPT TO command)
At least you should use the TLD .invalid if you don't want e-mail.
And you offer service for customers? Oh my... m(
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178443 is a reply to message #178441] |
Mon, 18 June 2012 17:41 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/18/2012 1:30 PM, Arno Welzel wrote:
> Jerry Stuckle, 18.06.2012 14:48:
>
> [...]
>> No, you're just full of hot air.
>
> JFTR:
>
> | I'm sorry to have to inform you that your message could not
> | be delivered to one or more recipients. It's attached below.
> |
> | For further assistance, please send mail to postmaster.
> |
> | If you do so, please include this problem report. You can
> | delete your own text from the attached returned message.
> |
> | The mail system
> |
> |<jstucklex(at)attglobal(dot)net>: host mx1.prserv.net[12.154.55.40] said: 551
> not our
> | customer (in reply to RCPT TO command)
>
> At least you should use the TLD .invalid if you don't want e-mail.
>
> And you offer service for customers? Oh my... m(
>
>
Once again you can't answer the questions because you have none. So you
have to make ad hominem attacks.
How like a troll.
Oh, and you need to learn to read. The instructions for emailing me are
in my sig in every post. But I guess that's too hard for you, too.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178445 is a reply to message #178443] |
Mon, 18 June 2012 17:49 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle, 18.06.2012 19:41:
> Oh, and you need to learn to read. The instructions for emailing me are
> in my sig in every post. But I guess that's too hard for you, too.
"Instructions for emailing me are in my sig..."... oh my... m(
If you want people to be able to contact you via email, provide a valid
address.
Instructions in a signture are just a sign that you are not able to run
a proper spam filter on your own and you decided other people should do
the work for you...
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178447 is a reply to message #178443] |
Mon, 18 June 2012 18:21 |
Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
.oO(Jerry Stuckle)
> Oh, and you need to learn to read. The instructions for emailing me are
> in my sig in every post. But I guess that's too hard for you, too.
"To the postman:
The instructions for mailing me are on the back of the envelope.
Please fix the address as described there to find the right mailbox."
Don't expect people to solve stupid puzzles just in order to contact
you. Either the address works as-is or it doesn't. Maybe you want to
learn how to use spam filters. Or is it too hard for you, so that you
have to let other people do _your_ work?
Micha
--
http://mfesser.de/
Fotos | Blog | Flohmarkt
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178448 is a reply to message #178445] |
Mon, 18 June 2012 19:10 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/18/2012 1:49 PM, Arno Welzel wrote:
> Jerry Stuckle, 18.06.2012 19:41:
>
>> Oh, and you need to learn to read. The instructions for emailing me are
>> in my sig in every post. But I guess that's too hard for you, too.
>
> "Instructions for emailing me are in my sig..."... oh my... m(
>
> If you want people to be able to contact you via email, provide a valid
> address.
>
> Instructions in a signture are just a sign that you are not able to run
> a proper spam filter on your own and you decided other people should do
> the work for you...
>
>
If you can't read, then I really don't want you to contact me anyway.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178449 is a reply to message #178447] |
Mon, 18 June 2012 19:11 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/18/2012 2:21 PM, Michael Fesser wrote:
> .oO(Jerry Stuckle)
>
>> Oh, and you need to learn to read. The instructions for emailing me are
>> in my sig in every post. But I guess that's too hard for you, too.
>
> "To the postman:
> The instructions for mailing me are on the back of the envelope.
> Please fix the address as described there to find the right mailbox."
>
> Don't expect people to solve stupid puzzles just in order to contact
> you. Either the address works as-is or it doesn't. Maybe you want to
> learn how to use spam filters. Or is it too hard for you, so that you
> have to let other people do _your_ work?
>
> Micha
>
It's only a puzzle to the stoopid. The instructions are very clear.
And using a munged email address on usenet is quite common for very good
reasons.
If you can't understand the simple instructions, then I don't care that
you can't contact me.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178451 is a reply to message #178449] |
Mon, 18 June 2012 19:34 |
Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
.oO(Jerry Stuckle)
> It's only a puzzle to the stoopid. The instructions are very clear.
Sure, but why should anyone do it? It's completely unnecessary work and
a sign that you care more about yourself than about others.
> And using a munged email address on usenet is quite common for very good
> reasons.
It's common, but not for good reasons.
Although I use my current mail address for many years in Usenet now and
even use it for various website subscriptions, my inbox is still almost
spam-free because of good and learning filters.
Micha
--
http://mfesser.de/
Fotos | Blog | Flohmarkt
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178452 is a reply to message #178451] |
Mon, 18 June 2012 21:22 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/18/2012 3:34 PM, Michael Fesser wrote:
> .oO(Jerry Stuckle)
>
>> It's only a puzzle to the stoopid. The instructions are very clear.
>
> Sure, but why should anyone do it? It's completely unnecessary work and
> a sign that you care more about yourself than about others.
>
Nope, it means I don't want to put up with spam from automated harvesters.
>> And using a munged email address on usenet is quite common for very good
>> reasons.
>
> It's common, but not for good reasons.
>
That's YOUR opinion. Hundreds of thousands of USENET users disagree
with you.
> Although I use my current mail address for many years in Usenet now and
> even use it for various website subscriptions, my inbox is still almost
> spam-free because of good and learning filters.
>
> Micha
>
That's fine. You have control of your filters. I do not on this email
address. But it's also not one I use for business. Only USENET. I
don't want to have to put up with crap on my business emails.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178463 is a reply to message #178462] |
Tue, 19 June 2012 14:41 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/19/2012 9:36 AM, Arno Welzel wrote:
> Am 18.06.2012 21:34, schrieb Michael Fesser:
>> .oO(Jerry Stuckle)
>>
>>> It's only a puzzle to the stoopid. The instructions are very clear.
>>
>> Sure, but why should anyone do it? It's completely unnecessary work and
>> a sign that you care more about yourself than about others.
>>
>>> And using a munged email address on usenet is quite common for very good
>>> reasons.
>>
>> It's common, but not for good reasons.
>
> Is it?
>
> Valid addresses used in the last couple of days in this group:
>
> jwcarlton(at)gmail(dot)com
> hissoka05(at)gmail(dot)com
> taltene(at)gmail(dot)com
> alur(dot)pradeep(at)gmail(dot)com
> apavluck(at)gmail(dot)com
> ircadhikari(at)gmail(dot)com
> erwinmollerusenet(at)xs4all(dot)nl
> kurtk(at)pobox(dot)com
> usenet(at)arnowelzel(dot)de
> netizen(at)gmx(dot)de
> sheldonlg(at)thevillages(dot)net
> php(at)PointedEars(dot)de
> william(at)TechServSys(dot)com
>
> Valid adresses, but i assume nobody will read e-mail sent there:
>
> nobody(at)spamcop(dot)net
> noonehome(at)chalupasworld(dot)com
> me(at)privacy(dot)net
> Alan_Smith(dot)5cjybz(at)no-mx(dot)httppoint(dot)com
> hellsop(at)ninehells(dot)com
> QUITAESTO(at)QUITAESTO(dot)NOES
>
Guess they don't want anyone contacting them offline.
> Invalid adresses using TLD ".invalid":
>
> alvaro(dot)NOSPAMTHANX(at)demogracia(dot)com(dot)invalid
> tnp(at)invalid(dot)invalid
>
Guess these guys don't want people contacting them offline, either.
> Others - either invalid or "munged" (and also invalid):
>
> sorry_no_mail_here(at)nowhere(dot)dee
> jstucklex(at)attglobal(dot)net
>
Yup, munged. That way people can get ahold of me if they want.
> At least here i can not confirm that it is "common" to munge the sender
> address. Sometimes people use the TLD ".invalid" to indicate that they
> don't want e-mail or they use valid honeypots. The same seems to be true
> for many other newsgroups.
>
So? You're looking at one newsgroup - out of tens of thousands. Hardly
a representative sampling.
>> Although I use my current mail address for many years in Usenet now and
>> even use it for various website subscriptions, my inbox is still almost
>> spam-free because of good and learning filters.
>
> Same here. My usenet address is the one with *least* spam at all - but
> not only because of good filters, but because only a couple of spammers
> per week try to send something - something changed anyway:
>
> < https://arnowelzel.de/munin/arnowelzel.de/root.arnowelzel.de/postgrey_new-y ear.png>
>
>
Thanks, but I don't want false positives kicking out valid customers.
And I really don't care that you care so little about your potential
clients that you would kick out email from them due to a false positive.
So why don't you take your little trollish tirade and stuff it where the
sun doesn't shine - that way it will be right next to your head. 'Cause
I really don't give a damn what you think!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178467 is a reply to message #178463] |
Tue, 19 June 2012 15:34 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Am 19.06.2012 16:41, schrieb Jerry Stuckle:
> On 6/19/2012 9:36 AM, Arno Welzel wrote:
[...]
>> Same here. My usenet address is the one with *least* spam at all - but
>> not only because of good filters, but because only a couple of spammers
>> per week try to send something - something changed anyway:
>>
>> < https://arnowelzel.de/munin/arnowelzel.de/root.arnowelzel.de/postgrey_new-y ear.png>
>
> Thanks, but I don't want false positives kicking out valid customers.
You don't know anything about greylisting? Do you?
> And I really don't care that you care so little about your potential
> clients that you would kick out email from them due to a false positive.
But at least you care enough to tell me that i may not get emails from
potential clients because of false positives... don't worry, i never
lost an email due to filtering in the last 10 years (and i don't have to
spend a lot of time to deal with spam either). Otherwise i wouldn't have
used this system so far.
> So why don't you take your little trollish tirade and stuff it where the
> sun doesn't shine - that way it will be right next to your head. 'Cause
> I really don't give a damn what you think!
If this was true, you would just have ignored the posting. Anyway - F'up
to poster... enough here. Sorry for the fuzz.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: PHP mysql_excape but need to search for those items [message #178468 is a reply to message #178467] |
Tue, 19 June 2012 16:35 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/19/2012 11:34 AM, Arno Welzel wrote:
> Am 19.06.2012 16:41, schrieb Jerry Stuckle:
>
>> On 6/19/2012 9:36 AM, Arno Welzel wrote:
> [...]
>>> Same here. My usenet address is the one with *least* spam at all - but
>>> not only because of good filters, but because only a couple of spammers
>>> per week try to send something - something changed anyway:
>>>
>>> < https://arnowelzel.de/munin/arnowelzel.de/root.arnowelzel.de/postgrey_new-y ear.png>
>>>
>>
>> Thanks, but I don't want false positives kicking out valid customers.
>
> You don't know anything about greylisting? Do you?
>
Yes, I know all about greylisting.
>> And I really don't care that you care so little about your potential
>> clients that you would kick out email from them due to a false positive.
>
> But at least you care enough to tell me that i may not get emails from
> potential clients because of false positives... don't worry, i never
> lost an email due to filtering in the last 10 years (and i don't have to
> spend a lot of time to deal with spam either). Otherwise i wouldn't have
> used this system so far.
>
How do you know? Potential clients won't tell you. They'll just go
somewhere else.
>> So why don't you take your little trollish tirade and stuff it where the
>> sun doesn't shine - that way it will be right next to your head. 'Cause
>> I really don't give a damn what you think!
>
> If this was true, you would just have ignored the posting. Anyway - F'up
> to poster... enough here. Sorry for the fuzz.
>
>
>
You don't even know how to fup a message correctly! ROFLMAO!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]