Injections.

[timmy0320]

Alright, I have some concerns that maybe some of the security guru's here can answer for me, or maybe I just am not doing something right.

 

When I'm testing my site for injections with non-persistent connections I get blind SQL vulnerabilities, even with all the filtering. When I use persistent connections I don't get any vulnerabilities.

 

My guess is my problem is I'm using a process page (process.php) to handle all of the user submissions. The process I am using is the page (client.php) has the forms -> sends to process.php -> which processes errors though session.php (if errors are found, it kicks back to process,which sends it to its referring page) -> if all goes well, it goes though the database.php page to process the inputs.

 

Since all of my vulnerabilities are on process.php, I am guessing that I should move all of the error checking (done on session.php) into the bodies being called by the switch mode (login, register, etc.) but I don't want to move it all and it still show the errors because that is a lot of code.

 

What I want to know is if it would be a better idea to do it that way (and if it would get rid of the vulnerabilities of blind attacks) because it's to the point to where I'm seeing the results with no vulnerabilities using persistent connects but if an attack was to happen, I'd rather it happen under a non-persistent connection if that makes sense. But I'm getting so irritated and every site I read with examples is what I am doing. It's to the point to where I'm just like f- it I'm gonna just use a persistent connection (even with all the places saying it's not recommended), although I'd really like to get this working under a non persistent connection

[geethalakshmi]

Hi,

    Refer to the following site which may help you in solving your problem.

http://www.hiox.org/index.php?id=184

 

regards,

Geethalakshmi

http://www.hiox.org/

http://www.zxcvbnm.in/