Home page logo

webappsec logo WebApp Sec mailing list archives

RE: SQL Injection
From: "V. Poddubniy" <vpoddubniy () mail ru>
Date: Tue, 1 Jun 2004 00:37:22 +0400


This is not safe. May be some sql servers wiill accept double qoutes
instead of single... And what about user O'Neil? Is his last name bad?

Use sql command parameters, if your sql engine allows it. If it does not
work, this is bug in the engine... Send them some feedback :-)

Best regards,
 Vladimir Poddubniy

-----Original Message-----
From: Emanuele Zattin [mailto:emanuelez () mymachine mydomain com] 
Sent: Friday, May 28, 2004 11:18 AM
To: webappsec () securityfocus com
Subject: SQL Injection

Hello Everybody!
I recently found out that one of my websites suffered SQL injections

Login: a' OR 'a'='a
Password: a' OR 'a'='a

I solved the problem checking whether the logon or password variables 
contained the "'" char... is it safe enough? i checked around the net
found a recent paper from Imperva but it does not talk about single
checking... i tried to ude different encodings but that string in UTF-8
just the same... any hint?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]