WebApp Sec mailing list archives
RE: SQL Injection
From: "V. Poddubniy" <vpoddubniy () mail ru>
Date: Tue, 1 Jun 2004 00:37:22 +0400
Hello, This is not safe. May be some sql servers wiill accept double qoutes instead of single... And what about user O'Neil? Is his last name bad? Use sql command parameters, if your sql engine allows it. If it does not work, this is bug in the engine... Send them some feedback :-) -- Best regards, Vladimir Poddubniy -----Original Message----- From: Emanuele Zattin [mailto:emanuelez () mymachine mydomain com] Sent: Friday, May 28, 2004 11:18 AM To: webappsec () securityfocus com Subject: SQL Injection Hello Everybody! I recently found out that one of my websites suffered SQL injections like this: Login: a' OR 'a'='a Password: a' OR 'a'='a I solved the problem checking whether the logon or password variables contained the "'" char... is it safe enough? i checked around the net and found a recent paper from Imperva but it does not talk about single chars checking... i tried to ude different encodings but that string in UTF-8 is just the same... any hint?
Current thread:
- SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
- Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
- Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
- Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
(Thread continues...)