Re: SQL Injection

["Paul" <paul () mnwebhost net>]

As was pointed out in another response to your post, you should capture all
' (single quote) and replace them with \' (escaped single quote).  That goes
for double quotes as well.  As pointed out, PHP has built in functions like
addquotes and stripquotes and even has a feature called magic_quotes that
you could look into.

Another thing to watch for in the user input boxes is -- (double dashes),
and /* both of which are the start of sql comments and may instruct the db
to ignore the rest of the line.  Also, watch out for "UNION SELECT" but make
sure your detection simply looks for whitespace between the two sql
keywords, otherwise I could just use "UNION  SELECT" (with 2 spaces or a tab
or ??).

There may be valid reasons for users to input certain things like -- or /*
but probably not in a user/pass situation.  If you do need to allow things
that you also want to block, then just convert them to their html equiv.

That said I'm not a huge fan of signature detection but there is nothing
wrong with it as part of a balanced security system.  As I see it, IMHO, the
biggest problem with it is that some developers (even vendors) tend to rely
on it as their main defense, and someone with enough time on their hands and
a little insight can bypass most commerical signature detectors.

-Paul


----- Original Message ----- 
From: "Emanuele Zattin" <emanuelez () mymachine mydomain com>
To: <webappsec () securityfocus com>
Sent: Friday, May 28, 2004 2:17 AM
Subject: SQL Injection


> Hello Everybody!
> I recently found out that one of my websites suffered SQL injections like
> this:
>
> Login: a' OR 'a'='a
> Password: a' OR 'a'='a
>
> I solved the problem checking whether the logon or password variables
> contained the "'" char... is it safe enough? i checked around the net and
> found a recent paper from Imperva but it does not talk about single chars
> checking... i tried to ude different encodings but that string in UTF-8 is
> just the same... any hint?