mailing list archives
Re: SQL Injection
From: "Serg B." <serg () dodo com au>
Date: Tue, 01 Jun 2004 23:36:54 +1000
Perhaps you could limit or anticipate charecter set used for users
username and passwords and filter out everything else?
On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:
I recently found out that one of my websites suffered SQL injections like
Login: a' OR 'a'='a
Password: a' OR 'a'='a
I solved the problem checking whether the logon or password variables
contained the "'" char... is it safe enough? i checked around the net and
found a recent paper from Imperva but it does not talk about single chars
checking... i tried to ude different encodings but that string in UTF-8 is
just the same... any hint?
Serg B. <serg () dodo com au>