WebApp Sec mailing list archives

RE: SQL Injection

From: "V. Poddubniy" <vpoddubniy () mail ru>
Date: Tue, 1 Jun 2004 00:37:22 +0400

Hello,

This is not safe. May be some sql servers wiill accept double qoutes
instead of single... And what about user O'Neil? Is his last name bad?

Use sql command parameters, if your sql engine allows it. If it does not
work, this is bug in the engine... Send them some feedback :-)

--
Best regards,
 Vladimir Poddubniy

-----Original Message-----
From: Emanuele Zattin [mailto:emanuelez () mymachine mydomain com] 
Sent: Friday, May 28, 2004 11:18 AM
To: webappsec () securityfocus com
Subject: SQL Injection


Hello Everybody!
I recently found out that one of my websites suffered SQL injections
like 
this:

Login: a' OR 'a'='a
Password: a' OR 'a'='a

I solved the problem checking whether the logon or password variables 
contained the "'" char... is it safe enough? i checked around the net
and 
found a recent paper from Imperva but it does not talk about single
chars 
checking... i tried to ude different encodings but that string in UTF-8
is 
just the same... any hint?

Current thread:

SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
  - Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
  - Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
  - Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)

(Thread continues...)