WebApp Sec mailing list archives

Re: SQL Injection

From: "Serg B." <serg () dodo com au>
Date: Tue, 01 Jun 2004 23:36:54 +1000

Hi, 

Perhaps you could limit or anticipate charecter set used for users
username and passwords and filter out everything else?


On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:

Hello Everybody!
I recently found out that one of my websites suffered SQL injections like 
this:

Login: a' OR 'a'='a
Password: a' OR 'a'='a

I solved the problem checking whether the logon or password variables 
contained the "'" char... is it safe enough? i checked around the net and 
found a recent paper from Imperva but it does not talk about single chars 
checking... i tried to ude different encodings but that string in UTF-8 is 
just the same... any hint?

-- 
Serg B. <serg () dodo com au>

Current thread:

SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
  - Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
  - Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
  - Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
  - RE: SQL Injection The Crocodile (Jun 06)

(Thread continues...)