Home page logo

webappsec logo WebApp Sec mailing list archives

Re: SQL Injection
From: David Cameron <david () uberconcept com>
Date: Wed, 02 Jun 2004 18:34:14 +1000

The other thing to be aware of in SQL injection is when someone inserts a string where you expect an integer. This also tends to be caught when using parameterised queries as they are strongly typed. If you aren't using parameterised queried (and why aren't you), strong type checking is a must. An example of where this might be a problem:

FROM MyTable
WHERE SomeGRoupID = @Val

If the value 'SomeGRoupID' (without the quotes) were inserted, all values would be returned. I think you can see the possibilities of this approach.

David Cameron

Scovetta, Michael V wrote:
What if their name was O'Henry? Security must be paramount to the
developer, but invisible to the client. Best choice: parameterized
queries. Second best: have a stored procedure make the modification.
Third: filter IN good characters. Forth: filter OUT bad characters.

Since I started using parameterized queries (via Java's
PreparedStatement object), I haven't run into a single SQL injection
issue. My hat's off to the developers for a clean, easy to use
IMHO, this is the way of the 'future'-- addslashes() and other hacks are
always going to suffer from special cases that get missed, or DBMS
oddities like strange escape sequences.

Michael Scovetta
Computer Associates
Application Developer

-----Original Message-----
From: Serg B. [mailto:serg () dodo com au]
Sent: Tuesday, June 01, 2004 9:37 AM
To: emanuelez () libero it
Cc: webappsec () securityfocus com
Subject: Re: SQL Injection


Perhaps you could limit or anticipate charecter set used for users
username and passwords and filter out everything else?

On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:

Hello Everybody!
I recently found out that one of my websites suffered SQL injections



Login: a' OR 'a'='a
Password: a' OR 'a'='a

I solved the problem checking whether the logon or password


contained the "'" char... is it safe enough? i checked around the



found a recent paper from Imperva but it does not talk about single


checking... i tried to ude different encodings but that string in



just the same... any hint?

Serg B. <serg () dodo com au>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]