WebApp Sec mailing list archives
RE: Strange beaviour in sql injection
From: "Dennis Hurst" <dhurst () spidynamics com>
Date: Tue, 29 Oct 2002 09:06:34 -0500
Antonio, It's possible that the person is checking to make sure you passed a value that can be converted to a numeric, something like this: if IsNumeric(Request("passedID")) then 'all is well, build the SQL sSql = "select * from myTable where ID = " & Request("passedID") 'do some database stuff here else 'go away, your doing something bad.... end if Now, if the "passedID" parameter were a string that contained "1,1" it would pass the isNumeric() call because "1,1" is converted to "11" by VB/ASP, however when it's Passed to the SQL server it is not a valid numeric value so the SQL server will choke and give the SQL error message. So you have a hybrid form of SQL Injection. The proper way to do it would have been: if IsNumeric(Request("passedID")) then 'all is well, build the SQL sSql = "select * from myTable where ID = " & cstr(clng(Request("passedID"))) 'do some database stuff here else 'go away, your doing something bad.... end if Using the cstr(CLng()) functions will convert it to a numeric and back again, effectively Removing the SQL Injection. Hope this helps. Have a great day, Dennis Hurst -----Original Message----- From: Securityinfos [mailto:admin () securityinfos com] Sent: Tuesday, October 29, 2002 4:32 AM To: webappsec () securityfocus com Subject: Strange beaviour in sql injection Conducting a pentest on a web application i discovered something strange.. the web application corretcly replaces single quote (') with double quote ('') correctly checked if the value isnumeric but inserting in the query url a value with , the application show error for example: http://www.webapplication.com/show.asp?id=1,1 show the error So, can we desume that the previous dogmas for securing a web application replacing quotes and checking if a value is numeric are not enough? I'd like to know also what Kevin Spett thinks.. thanks.. Antonio Stano Securityinfos http://www.securityinfos.com
Current thread:
- Strange beaviour in sql injection Securityinfos (Oct 29)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)
- Re: Strange beaviour in sql injection Mariusz Pekala (Nov 30)
- Re: Strange beaviour in sql injection Kevin Spett (Oct 29)
- <Possible follow-ups>
- RE: Strange beaviour in sql injection Brass, Phil (ISS Atlanta) (Oct 30)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)