Home page logo

webappsec logo WebApp Sec mailing list archives

Re: SQL Injection
From: windo () windowlicker dyn ee
Date: Tue, 1 Jun 2004 08:43:32 +0300


I solved the problem checking whether the logon or password variables 
contained the "'" char... is it safe enough? i checked around the net and 
found a recent paper from Imperva but it does not talk about single chars 
checking... i tried to ude different encodings but that string in UTF-8 is 
just the same... any hint?

with php, you would use addslashes() on any user input (or with a
reasonably recent php, magic_quotes would do it for you). The industry
standard way to handle this is to escape single quotes so that they
wouldn't get interpeted as single quotes - the string terminating 
symbols - by the SQL server, but as single quotes - the characters. Im
pretty sure your preffered language has a function for that, but it
would propably be trivial to just substitute all ' with \'.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]