I think this is a great opportunity to talk about sanitizing one's data before sending it to the DB. There is two very easy things one can do if programming in PHP. 1) Addslashes - Returns a string with backslashes before characters that need to be escaped. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte). 2) htmlentities — Convert all applicable characters to HTML entities - this will convert any semicolons not enclosed in quotes into it's html entity. http://php.net/manual/en/security.database.sql-injection.php Little Bobby Tables : http://php.net/manual/en/images/fa7c5b5f326e3c4a6cc9db19e7edbaf0-xkcd-bobby-tables.png I do not profess to be an expert in this area. I spent a lot of time looking into this about 10 years ago and still feel like I need to know more. I'm always eager to learn more in this area. Please add your thoughts? Thanks!! Keith On 2016-09-14 01:41, der.hans wrote: > Am 14. Sep, 2016 schwätzte Herminio Hernandez, Jr. so: > >> Should I be consern even if my SQL server is only listening on >> localhost? > > Depends on what you have using it. > > If it's the DB for a web site, then it's possible that SQL injection > can > be used to modify your database. > > For instance, WordPress has lots of security issues, so it likely can > be > exploited to use SQL injection to talk to your DB. > > ciao, > > der.hans > >> On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair >> >> wrote: >> >>> FYI, minor improvement below to lock down a few edge cases (note, >>> this is >>> primarily for EXT{2,3,4} and other filesystems that support file >>> attributes). >>> You'll also need to remove the attribute manually before updating >>> when >>> patches become available. >>> >>> On 09/12/2016 12:33 PM, der.hans wrote: >>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so: >>>> >>>> moin moin, >>>> >>>>> Basically they mirror the repos. So when it hits debian I will >>>>> upgrade. >>>> >>>> Ah, OK. >>>> >>>> You might also want to create a couple of empty files and lock them >>>> down. >>>> >>>> $datadir can be exploited, so pre-emptively putting empty conf files >>>> in >>>> there that can't be changed by mysql is a good idea. >>>> >>>> The following is for anyone with questions on locking down the >>>> config >>>> files in $datadir. >>>> >>>> Presuming $datadir is /var/lib/mysql either of the following will >>>> lock >>>> down the files when run as root, but the first will destroy files >>>> you >>>> might already have. >>>> >>>> # >/var/lib/mysq/my.cnf >>>> # >/var/lib/mysq/.my.cnf >>>> # chmod 000 /var/lib/mysq/{.,}my.cnf >>> # chattr +i /var/lib/mysq/{.,}my.cnf >>>> >>>> Or, with some minimal verification that it's safe... >>>> >>>> # for file in /var/lib/mysq/{.,}my.cnf; do >>>> if [ ! -e $file ] ; then >>>> >$file >>>> chmod 000 $file >>> chattr +i $file >>>> ls -l $file >>> lsattr $file >>>> else >>>> ls -l $file >>> lsattr $file >>>> echo "You might want to check on that" >>>> fi >>>> done >>>> >>>> ciao, >>>> >>>> der.hans >>>> >>>>> Sent from my iPhone >>>>> >>>>>> On Sep 12, 2016, at 12:00 PM, der.hans wrote: >>>>>> >>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so: >>>>>> >>>>>> moin moin, >>>>>> >>>>>>> Thanks have some SQL in DO droplets. Will be looking for this. >>>>>> >>>>>> Will DigitalOcean automagically apply the patches for you? >>>>>> >>>>>> I would expect it's in their best interest. >>>>>> >>>>>> I'm certain DreamHost is already upgraded. GoDaddy is probably >>>>>> rolling >>> it >>>>>> out already, but I no longer know anyone on the team over there, >>>>>> so am >>> not >>>>>> sure how quick they will be. >>>>>> >>>>>> This is admittedly one of the advantages of cloud. The >>>>>> infrastructure >>>>>> providers can centrally test and roll out for everyone. The >>> disadvantage >>>>>> is if it's something that affects you, but they don't know or care >>> about >>>>>> it :). >>>>>> >>>>>> ciao, >>>>>> >>>>>> der.hans >>>>>> >>>>>>> Sent from my iPhone >>>>>>> >>>>>>>> On Sep 12, 2016, at 11:18 AM, der.hans >>>>>>>> wrote: >>>>>>>> >>>>>>>> moin moin, >>>>>>>> >>>>>>>> a MySQL remote exploit was announced this morning. Percona and >>> MariaDB >>>>>>>> already have fixes that have not yet hit the distros. >>>>>>>> >>>>>>>> https://www.percona.com/blog/2016/09/12/percona-server- >>> critical-update-cve-2016-6662 >>>>>>>> >>>>>>>> http://legalhackers.com/advisories/MySQL-Exploit- >>> Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html >>>>>>>> >>>>>>>> Watch for updates. >>>>>>>> >>>>>>>> ciao, >>>>>>>> >>>>>>>> der.hans >>>>>>>> -- >>>>>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/ >>>>>>>> # Fairy Tale, n.: A horror story to prepare children for the >>> newspapers. >>>>>>>> --------------------------------------------------- >>>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>> --------------------------------------------------- >>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>> >>>>>> -- >>>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/ >>>>>> # "You go to Afghanistan and you swallow enough dust that you'll >>>>>> pass >>> an >>>>>> # adobe brick." -- Robin Williams, 03Aug2006 >>>>>> --------------------------------------------------- >>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> >>>> >>>> >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> >>> >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >> > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss -- Keith Smith --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss