WebApp Sec mailing list archives

Re: SQL Injection

From: windo () windowlicker dyn ee
Date: Tue, 1 Jun 2004 08:43:32 +0300

Hey.

I solved the problem checking whether the logon or password variables 
contained the "'" char... is it safe enough? i checked around the net and 
found a recent paper from Imperva but it does not talk about single chars 
checking... i tried to ude different encodings but that string in UTF-8 is 
just the same... any hint?


with php, you would use addslashes() on any user input (or with a
reasonably recent php, magic_quotes would do it for you). The industry
standard way to handle this is to escape single quotes so that they
wouldn't get interpeted as single quotes - the string terminating 
symbols - by the SQL server, but as single quotes - the characters. Im
pretty sure your preffered language has a function for that, but it
would propably be trivial to just substitute all ' with \'.

Siim.

Current thread:

SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
  - Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
  - Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
  - Re: SQL Injection The Crocodile (Jun 04)

(Thread continues...)