WebApp Sec mailing list archives
Re: SQL Injection
From: "Paul" <paul () mnwebhost net>
Date: Tue, 1 Jun 2004 14:23:46 -0500
As was pointed out in another response to your post, you should capture all ' (single quote) and replace them with \' (escaped single quote). That goes for double quotes as well. As pointed out, PHP has built in functions like addquotes and stripquotes and even has a feature called magic_quotes that you could look into. Another thing to watch for in the user input boxes is -- (double dashes), and /* both of which are the start of sql comments and may instruct the db to ignore the rest of the line. Also, watch out for "UNION SELECT" but make sure your detection simply looks for whitespace between the two sql keywords, otherwise I could just use "UNION SELECT" (with 2 spaces or a tab or ??). There may be valid reasons for users to input certain things like -- or /* but probably not in a user/pass situation. If you do need to allow things that you also want to block, then just convert them to their html equiv. That said I'm not a huge fan of signature detection but there is nothing wrong with it as part of a balanced security system. As I see it, IMHO, the biggest problem with it is that some developers (even vendors) tend to rely on it as their main defense, and someone with enough time on their hands and a little insight can bypass most commerical signature detectors. -Paul ----- Original Message ----- From: "Emanuele Zattin" <emanuelez () mymachine mydomain com> To: <webappsec () securityfocus com> Sent: Friday, May 28, 2004 2:17 AM Subject: SQL Injection
Hello Everybody! I recently found out that one of my websites suffered SQL injections like this: Login: a' OR 'a'='a Password: a' OR 'a'='a I solved the problem checking whether the logon or password variables contained the "'" char... is it safe enough? i checked around the net and found a recent paper from Imperva but it does not talk about single chars checking... i tried to ude different encodings but that string in UTF-8 is just the same... any hint?
Current thread:
- SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
- Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
- Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
- Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
- RE: SQL Injection The Crocodile (Jun 06)
- Re: SQL Injection Jeff Williams (Jun 08)
- Re: SQL Injection saphyr (Jun 09)
- RE: SQL Injection The Crocodile (Jun 06)