[WEB SECURITY] Beginner questions regarding PHP and MySQL Injection

[James Bensley <jwbensley@xxxxxxxxx>]

List of great knowledge...

I have set my self up a test lab with some PHP and MySQL excersies; it seems the
infamous ' or 1=1 -- is too easy to exploit, in that these days only a
fool would allow it to happen; I can only get it to
work if I give it a stupidly oversized helping hand :D

(i.e. php magic quotes is turned off and no input validation of any sort
is being performed)

As soon as I start using as a minimum stringslashes() and/or
mysql_real_esacpe_string() and/or turn magic quotes on, I can no
longer escape the PHP code that builds the MySQL query to perform an
injection

Does anyone have any pointers, advice, good reading etc they can link
that can explain how I can escape these methods? Or perhaps a better
way of trying to implement my SQL injection?

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe@xxxxxxxxxxxxx and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates