WebApp Sec mailing list archives
Re: SQL Injection Basics
From: Ken Anderson <ka () pacific net>
Date: Tue, 11 Feb 2003 12:20:32 -0800
With mysql, you can use double quotes instead of single quotes around strings. http://www.mysql.com/doc/en/Extensions_to_ANSI.html You can then allow single quotes in user input for things like last name of "O'Malley"
in java: foo = req.getParameter("foo"); sanitize(foo); // disallow other bad stuff [%()"\...] sql = "select * from users where username = "\"+foo+"\""; If the value of foo is "'foo", it's not a problem. mysql> select lastname from users where lastname = "O'Brien"; +--------------+ | lastname | +--------------+ | O'Brien | | O'Brien | +--------------+ Ken A. dreamwvr () dreamwvr com wrote:
On Tue, Feb 11, 2003 at 04:35:50PM +0100, Sverre H. Huseby wrote:Consider a system talking to PostgreSQL (or MySQL or any other database that accepts C-style backslash escapes in string constants). If the developer just thinks about the ticks, he may (givenWell IMO why not simply filter out all non alpha and integers. logging everything else and not allowing to form a SQL statement at all? Then allow very select special characters like ; only in a specific position. Just my 2 cents. Best Regards, dreamwvr () dreamwvr com
Current thread:
- Re: SQL Injection Basics, (continued)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics Ken Anderson (Feb 11)
- Re: WebSleuth and the SQLInjeciton Plugin Chip Andrews (Mar 10)
- Re: SQL Injection Basics Kevin Spett (Feb 11)
- RE: SQL Injection Basics Patrick Debois (Feb 11)