WebApp Sec mailing list archives
Re: SQL Injection
From: windo () windowlicker dyn ee
Date: Tue, 1 Jun 2004 08:43:32 +0300
Hey.
I solved the problem checking whether the logon or password variables contained the "'" char... is it safe enough? i checked around the net and found a recent paper from Imperva but it does not talk about single chars checking... i tried to ude different encodings but that string in UTF-8 is just the same... any hint?
with php, you would use addslashes() on any user input (or with a reasonably recent php, magic_quotes would do it for you). The industry standard way to handle this is to escape single quotes so that they wouldn't get interpeted as single quotes - the string terminating symbols - by the SQL server, but as single quotes - the characters. Im pretty sure your preffered language has a function for that, but it would propably be trivial to just substitute all ' with \'. Siim.
Current thread:
- SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
- Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
- Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
- Re: SQL Injection The Crocodile (Jun 04)
(Thread continues...)