Home page logo

webappsec logo WebApp Sec mailing list archives

RE: SQL Injection
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Tue, 1 Jun 2004 16:27:32 -0400

What if their name was O'Henry? Security must be paramount to the
developer, but invisible to the client. Best choice: parameterized
queries. Second best: have a stored procedure make the modification.
Third: filter IN good characters. Forth: filter OUT bad characters.

Since I started using parameterized queries (via Java's
PreparedStatement object), I haven't run into a single SQL injection
issue. My hat's off to the developers for a clean, easy to use

IMHO, this is the way of the 'future'-- addslashes() and other hacks are
always going to suffer from special cases that get missed, or DBMS
oddities like strange escape sequences.

Michael Scovetta
Computer Associates
Application Developer

-----Original Message-----
From: Serg B. [mailto:serg () dodo com au]
Sent: Tuesday, June 01, 2004 9:37 AM
To: emanuelez () libero it
Cc: webappsec () securityfocus com
Subject: Re: SQL Injection


Perhaps you could limit or anticipate charecter set used for users
username and passwords and filter out everything else?

On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:
Hello Everybody!
I recently found out that one of my websites suffered SQL injections

Login: a' OR 'a'='a
Password: a' OR 'a'='a

I solved the problem checking whether the logon or password
contained the "'" char... is it safe enough? i checked around the
found a recent paper from Imperva but it does not talk about single
checking... i tried to ude different encodings but that string in
just the same... any hint?
Serg B. <serg () dodo com au>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]