WebApp Sec mailing list archives

Re: SQL Injection Basics

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 11 Feb 2003 16:35:50 +0100

[Taco Fleur]

|   SQL Injection works only when
|   
|   1. SELECT * FROM foo WHERE foobar = $var
|   2. SELECT * FROM foo WHERE foobar = '$var'
|   
|   In number 1, if the variable is not checked for the type of integer people
|   can submit for example
|   /urlstring/index.cfm?var=1; AND NASTY CODE HERE
|   
|   In number 2, if the variable is not checked for tick marks, and does not
|   escape any that are found
|   /urlstring/index.cfm?var=blah' AND NASTY CODE HERE --

It's not just the tick marks, it's any character with special meaning
to the database in the context of which data is inserted.

Consider a system talking to PostgreSQL (or MySQL or any other
database that accepts C-style backslash escapes in string constants).
If the developer just thinks about the ticks, he may (given
ASP/VBScript) do the following:

    userName = Request.Form("username")
    userNameSQL = "'" & Replace(userName, "'", "''") & "'"
    query = "SELECT * FROM Usr WHERE UserName=" & userNameSQL

The code doubles all ticks when inserting the incoming data in an SQL
string constant.

Now an attacker who knows more about PostgreSQL (or other bla bla)
than the developer, may make the username parameter look like this:

    \'; DELETE FROM Usr --

The final query being sent to the database will, given doubling of
ticks, look like this:

    SELECT * FROM Usr WHERE UserName='\''; DELETE FROM Usr --'
                                      -----------------------

Notice how the backslash inserted by the attacker in effect escapes
one of the two ticks, opening up for the nastyness the developer tried
to prevent.

The bottom line: If using data-passing methods that combine data with
control information (e.g. dynamic SQL rather than prepared
statements), the developer will need to have a _full_ understanding of
_every_ metacharacter supported by the database for the context in
which the data is inserted.


Sverre.

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/

Current thread:

Re: SQL Injection Basics, (continued)
- - - Re: SQL Injection Basics Dave Aitel (Feb 10)
    - RE: SQL Injection Basics Dennis Hurst (Feb 10)
    - Re: SQL Injection Basics Taco Fleur (Feb 10)
    - RE: SQL Injection Basics Robert Nilsen (Feb 10)
    - Re: SQL Injection Basics Dirk Gomez (Feb 10)
    - RE: SQL Injection Basics Keith Smith (Feb 10)
    - Re: SQL Injection Basics Kevin Spett (Feb 10)
    - Re: SQL Injection Basics Dejan Bosanac (Feb 11)
    - Re: SQL Injection Basics Dirk Gomez (Feb 11)
    - Re: SQL Injection Basics Dejan Bosanac (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics Alex Russell (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics Alex Russell (Feb 11)
    - Re: SQL Injection Basics Jerry Connolly (Feb 11)

(Thread continues...)