Home page logo

webappsec logo WebApp Sec mailing list archives

Re: SQL Injection
From: "Paul" <paul () mnwebhost net>
Date: Tue, 1 Jun 2004 14:23:46 -0500

As was pointed out in another response to your post, you should capture all
' (single quote) and replace them with \' (escaped single quote).  That goes
for double quotes as well.  As pointed out, PHP has built in functions like
addquotes and stripquotes and even has a feature called magic_quotes that
you could look into.

Another thing to watch for in the user input boxes is -- (double dashes),
and /* both of which are the start of sql comments and may instruct the db
to ignore the rest of the line.  Also, watch out for "UNION SELECT" but make
sure your detection simply looks for whitespace between the two sql
keywords, otherwise I could just use "UNION  SELECT" (with 2 spaces or a tab
or ??).

There may be valid reasons for users to input certain things like -- or /*
but probably not in a user/pass situation.  If you do need to allow things
that you also want to block, then just convert them to their html equiv.

That said I'm not a huge fan of signature detection but there is nothing
wrong with it as part of a balanced security system.  As I see it, IMHO, the
biggest problem with it is that some developers (even vendors) tend to rely
on it as their main defense, and someone with enough time on their hands and
a little insight can bypass most commerical signature detectors.


----- Original Message ----- 
From: "Emanuele Zattin" <emanuelez () mymachine mydomain com>
To: <webappsec () securityfocus com>
Sent: Friday, May 28, 2004 2:17 AM
Subject: SQL Injection

Hello Everybody!
I recently found out that one of my websites suffered SQL injections like

Login: a' OR 'a'='a
Password: a' OR 'a'='a

I solved the problem checking whether the logon or password variables
contained the "'" char... is it safe enough? i checked around the net and
found a recent paper from Imperva but it does not talk about single chars
checking... i tried to ude different encodings but that string in UTF-8 is
just the same... any hint?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]