Re: SQL Injection Basics

[Ken Anderson <ka () pacific net>]

With mysql, you can use double quotes instead of single quotes around 
strings. http://www.mysql.com/doc/en/Extensions_to_ANSI.html
You can then allow single quotes in user input for things like last name 
of "O'Malley"

in java:

foo = req.getParameter("foo");
sanitize(foo); // disallow other bad stuff [%()"\...]
sql = "select * from users where username = "\"+foo+"\"";

If the value of foo is "'foo", it's not a problem.

mysql> select lastname from users where lastname = "O'Brien";
+--------------+
| lastname     |
+--------------+
| O'Brien      |
| O'Brien      |
+--------------+

Ken A.


dreamwvr () dreamwvr com wrote:
> On Tue, Feb 11, 2003 at 04:35:50PM +0100, Sverre H. Huseby wrote:
>
> > Consider a system talking to PostgreSQL (or MySQL or any other
> > database that accepts C-style backslash escapes in string constants).
> > If the developer just thinks about the ticks, he may (given
>
> Well IMO why not simply filter out all non alpha and integers.
> logging everything else and not allowing to form a SQL statement
> at all? Then allow very select special characters like ; only in
> a specific position. Just my 2 cents.
>
> Best Regards,
> dreamwvr () dreamwvr com