WebApp Sec mailing list archives
Re: SQL Injection
From: David Cameron <david () uberconcept com>
Date: Wed, 02 Jun 2004 18:34:14 +1000
The other thing to be aware of in SQL injection is when someone inserts a string where you expect an integer. This also tends to be caught when using parameterised queries as they are strongly typed. If you aren't using parameterised queried (and why aren't you), strong type checking is a must. An example of where this might be a problem:
SELECT * FROM MyTable WHERE SomeGRoupID = @ValIf the value 'SomeGRoupID' (without the quotes) were inserted, all values would be returned. I think you can see the possibilities of this approach.
regards David Cameron Scovetta, Michael V wrote:
What if their name was O'Henry? Security must be paramount to the developer, but invisible to the client. Best choice: parameterized queries. Second best: have a stored procedure make the modification. Third: filter IN good characters. Forth: filter OUT bad characters. Since I started using parameterized queries (via Java's PreparedStatement object), I haven't run into a single SQL injection issue. My hat's off to the developers for a clean, easy to useinterface.IMHO, this is the way of the 'future'-- addslashes() and other hacks are always going to suffer from special cases that get missed, or DBMS oddities like strange escape sequences. Michael Scovetta Computer Associates Application Developer-----Original Message----- From: Serg B. [mailto:serg () dodo com au] Sent: Tuesday, June 01, 2004 9:37 AM To: emanuelez () libero it Cc: webappsec () securityfocus com Subject: Re: SQL Injection Hi, Perhaps you could limit or anticipate charecter set used for users username and passwords and filter out everything else? On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:Hello Everybody! I recently found out that one of my websites suffered SQL injectionslikethis: Login: a' OR 'a'='a Password: a' OR 'a'='a I solved the problem checking whether the logon or passwordvariablescontained the "'" char... is it safe enough? i checked around thenetandfound a recent paper from Imperva but it does not talk about singlecharschecking... i tried to ude different encodings but that string inUTF-8isjust the same... any hint?-- Serg B. <serg () dodo com au>
Current thread:
- SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
- Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
- Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
- Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
- RE: SQL Injection The Crocodile (Jun 06)
- Re: SQL Injection Jeff Williams (Jun 08)
- Re: SQL Injection saphyr (Jun 09)
- RE: SQL Injection The Crocodile (Jun 06)
- Request for comments - French readers saphyr (Jun 08)
- Re: SQL Injection Steven M. Christey (Jun 08)