WebApp Sec mailing list archives

RE: SQL Injection Basics

From: Mark Mcdonald <m.mcdonald () cgl com au>
Date: Wed, 12 Feb 2003 08:44:30 +0800

My personal favourite method when working with IIS/ASP is to handle all data
.retrieval. using only the primary key, which is always an integer.
Fortunately, digits do not pose a security threat in any way shape or form.

in VBScript/ASP,

sql = "SELECT * FROM myTable WHERE id=" & CInt(Request.QueryString("id"))

From my experience, this is unbeatable.  However there is one obvious,

fairly big drawback - it only works on integers - hence why it is only used
for retrieval.

Mark.

-----Original Message-----
From: Ken Anderson [mailto:ka () pacific net]
Sent: Wednesday, February 12, 2003 4:21 AM
Cc: webappsec () securityfocus com
Subject: Re: SQL Injection Basics

With mysql, you can use double quotes instead of single quotes around 
strings. http://www.mysql.com/doc/en/Extensions_to_ANSI.html
You can then allow single quotes in user input for things like last name 
of "O'Malley"

in java:

foo = req.getParameter("foo");
sanitize(foo); // disallow other bad stuff [%()"\...]
sql = "select * from users where username = "\"+foo+"\"";

If the value of foo is "'foo", it's not a problem.

mysql> select lastname from users where lastname = "O'Brien";
+--------------+
| lastname     |
+--------------+
| O'Brien      |
| O'Brien      |
+--------------+

Ken A.

dreamwvr () dreamwvr com wrote:

On Tue, Feb 11, 2003 at 04:35:50PM +0100, Sverre H. Huseby wrote:

Consider a system talking to PostgreSQL (or MySQL or any other
database that accepts C-style backslash escapes in string constants).
If the developer just thinks about the ticks, he may (given


Well IMO why not simply filter out all non alpha and integers.
logging everything else and not allowing to form a SQL statement
at all? Then allow very select special characters like ; only in
a specific position. Just my 2 cents.

Best Regards,
dreamwvr () dreamwvr com



******************************* DISCLAIMER ****************************** 
This e-mail and any attachments to it are confidential. 
If you receive them in error, please tell us immediately and delete them. 
You must not retain, distribute, disclose or otherwise use any information
contained in them. 

Before opening or using any attachments with this e-mail you should check
them for viruses and other defects. The sender does not warrant that they 
will be free from computer viruses or other defects.
*************************************************************************

Current thread:

Re: WebSleuth and the SQLInjeciton Plugin, (continued)
- - - Re: WebSleuth and the SQLInjeciton Plugin Chip Andrews (Mar 10)
- Re: SQL Injection Basics davy van de moere (Feb 09)
- Re: SQL Injection Basics NetNinja (Feb 09)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Logan F.D. Greenlee (Feb 10)
- RE: SQL Injection Basics Brass, Phil (ISS Atlanta) (Feb 11)
- RE: SQL Injection Basics Eric Appelboom (Feb 11)
  - Re: SQL Injection Basics Kevin Spett (Feb 11)
  - RE: SQL Injection Basics Patrick Debois (Feb 11)
- RE: SQL Injection Basics Logan F.D. Greenlee (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
  - Re: SQL Injection Basics Jim McGarvey (Feb 11)
    - Re: SQL Injection Basics Mark Curphey (Feb 11)
    - Re: SQL Injection Basics Jim McGarvey (Feb 12)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
- RE: SQL Injection Basics Jason Benson (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
  - Re: SQL Injection Basics Alex Russell (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)

(Thread continues...)