mailing list archives
RE: SQL Injection
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Tue, 1 Jun 2004 16:27:32 -0400
What if their name was O'Henry? Security must be paramount to the
developer, but invisible to the client. Best choice: parameterized
queries. Second best: have a stored procedure make the modification.
Third: filter IN good characters. Forth: filter OUT bad characters.
Since I started using parameterized queries (via Java's
PreparedStatement object), I haven't run into a single SQL injection
issue. My hat's off to the developers for a clean, easy to use
IMHO, this is the way of the 'future'-- addslashes() and other hacks are
always going to suffer from special cases that get missed, or DBMS
oddities like strange escape sequences.
From: Serg B. [mailto:serg () dodo com au]
Sent: Tuesday, June 01, 2004 9:37 AM
To: emanuelez () libero it
Cc: webappsec () securityfocus com
Subject: Re: SQL Injection
Perhaps you could limit or anticipate charecter set used for users
username and passwords and filter out everything else?
On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:
I recently found out that one of my websites suffered SQL injections
Login: a' OR 'a'='a
Password: a' OR 'a'='a
I solved the problem checking whether the logon or password
contained the "'" char... is it safe enough? i checked around the
found a recent paper from Imperva but it does not talk about single
checking... i tried to ude different encodings but that string in
just the same... any hint?
Serg B. <serg () dodo com au>