WebApp Sec mailing list archives
Re: SQL Injection Basics
From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 11 Feb 2003 16:35:50 +0100
[Taco Fleur] | SQL Injection works only when | | 1. SELECT * FROM foo WHERE foobar = $var | 2. SELECT * FROM foo WHERE foobar = '$var' | | In number 1, if the variable is not checked for the type of integer people | can submit for example | /urlstring/index.cfm?var=1; AND NASTY CODE HERE | | In number 2, if the variable is not checked for tick marks, and does not | escape any that are found | /urlstring/index.cfm?var=blah' AND NASTY CODE HERE -- It's not just the tick marks, it's any character with special meaning to the database in the context of which data is inserted. Consider a system talking to PostgreSQL (or MySQL or any other database that accepts C-style backslash escapes in string constants). If the developer just thinks about the ticks, he may (given ASP/VBScript) do the following: userName = Request.Form("username") userNameSQL = "'" & Replace(userName, "'", "''") & "'" query = "SELECT * FROM Usr WHERE UserName=" & userNameSQL The code doubles all ticks when inserting the incoming data in an SQL string constant. Now an attacker who knows more about PostgreSQL (or other bla bla) than the developer, may make the username parameter look like this: \'; DELETE FROM Usr -- The final query being sent to the database will, given doubling of ticks, look like this: SELECT * FROM Usr WHERE UserName='\''; DELETE FROM Usr --' ----------------------- Notice how the backslash inserted by the attacker in effect escapes one of the two ticks, opening up for the nastyness the developer tried to prevent. The bottom line: If using data-passing methods that combine data with control information (e.g. dynamic SQL rather than prepared statements), the developer will need to have a _full_ understanding of _every_ metacharacter supported by the database for the context in which the data is inserted. Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- Re: SQL Injection Basics, (continued)
- Re: SQL Injection Basics Dave Aitel (Feb 10)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Taco Fleur (Feb 10)
- RE: SQL Injection Basics Robert Nilsen (Feb 10)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Keith Smith (Feb 10)
- Re: SQL Injection Basics Kevin Spett (Feb 10)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Dirk Gomez (Feb 11)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)