sql-injection

I am using the Magento's functionality to insert & update queries. My requirement is that I want to take care of SQL Injection, when doing these types of queries. But I'm unable to find how Magento does this. I'm providing one start sample. Please provide me with one complete example. <?php $write = Mage::getSingleton("core/resource")->getConnection("core_write"); $sql = "INSERT INTO Mage_Example (Name, Email, Company, Description, Status, Date) VALUES ('$name', '$email', '$company', '$desc', '0', NOW())"; ?> Now I want to change the above query to prevent the possible SQL Injection. I don't

We have hundreds of websites which were developed in asp, .net and java and we are paying lot of money for an external agency to do a penetration testing for our sites to check for security loopholes. Are there any (good) software (paid or free) to do this? or.. are there any technical articles which can help me develop this tool? There are a couple different directions you can go with automated testing tools for web applications. First, there are the commercial web scanners , of which HP WebInspect and Rational AppScan are the two most popular. These are "all-in-one", "fire-and-forget" tools

I ask this question with a bit of sheepishness because I should know the answer. Could someone be kind and explain if and how injection could occur in the following code? <cfquery> select * from tableName where fieldName = '#value#' </cfquery> I'm specifically curious about injection attempts and other malicious input, not about best practices or input validation for handling "normal" user input. I see folks strongly advocating use of CFQueryParam, but don't think I see the point. If user input has been validated for consistency to the database schema (e.g. so that input must be numeric for

I'm in trouble with a group of hackers. they hacked my client's site few times, and my client gets more angry :( my client lost his database (which has hundreds records), and had to enter all :( now I'm following some more introductions; fixed file permissions changed ftp and host login info cleared all remote mysql accesses now working on SQL Injection issue. I added mysql_real_escape_string to admin panel login paramaters. So where else should I use this mysql_real_escape_string ? I have few email forms at site, I dont think i need to add there... I have an index.php as a mainpage. Should I

I have always read that Magic Quotes do not stop SQL Injections at all but I am not able to understand why not! As an example, let's say we have the following query: SELECT * FROM tablename WHERE email='$x'; Now, if the user input makes $x=' OR 1=1 -- , the query would be: SELECT * FROM tablename WHERE email='\' OR 1=1 --'; The backslash will be added by Magic Quotes with no damage done whatsoever! Is there a way that I am not seeing where the user can bypass the Magic Quote insertions here? The trick is usually to pass a binary value so that the backslash would become a part of valid