Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: SQL Injection
From: David Cameron <david () uberconcept com>
Date: Wed, 02 Jun 2004 18:34:14 +1000

The other thing to be aware of in SQL injection is when someone inserts a string where you expect an integer. This also tends to be caught when using parameterised queries as they are strongly typed. If you aren't using parameterised queried (and why aren't you), strong type checking is a must. An example of where this might be a problem:

SELECT *
FROM MyTable
WHERE SomeGRoupID = @Val

If the value 'SomeGRoupID' (without the quotes) were inserted, all values would be returned. I think you can see the possibilities of this approach.

regards
David Cameron


Scovetta, Michael V wrote:
What if their name was O'Henry? Security must be paramount to the
developer, but invisible to the client. Best choice: parameterized
queries. Second best: have a stored procedure make the modification.
Third: filter IN good characters. Forth: filter OUT bad characters.

Since I started using parameterized queries (via Java's
PreparedStatement object), I haven't run into a single SQL injection
issue. My hat's off to the developers for a clean, easy to use
interface.
IMHO, this is the way of the 'future'-- addslashes() and other hacks are
always going to suffer from special cases that get missed, or DBMS
oddities like strange escape sequences.

Michael Scovetta
Computer Associates
Application Developer


-----Original Message-----
From: Serg B. [mailto:serg () dodo com au]
Sent: Tuesday, June 01, 2004 9:37 AM
To: emanuelez () libero it
Cc: webappsec () securityfocus com
Subject: Re: SQL Injection

Hi,

Perhaps you could limit or anticipate charecter set used for users
username and passwords and filter out everything else?


On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:

Hello Everybody!
I recently found out that one of my websites suffered SQL injections

like

this:

Login: a' OR 'a'='a
Password: a' OR 'a'='a

I solved the problem checking whether the logon or password

variables

contained the "'" char... is it safe enough? i checked around the

net

and

found a recent paper from Imperva but it does not talk about single

chars

checking... i tried to ude different encodings but that string in

UTF-8

is

just the same... any hint?

--
Serg B. <serg () dodo com au>







  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault