WebApp Sec mailing list archives
RE: SQL Injection
From: <stevenr () mastek com>
Date: Wed, 2 Jun 2004 13:56:54 +0530
Hi The best way would be creating a white list, allowing only defined characters and rejecting everything else. Saves you headaches in the long run. Use Regexs for this. This here is an interesting article http://www.aspectsecurity.com/article/bld_HTTP_req_val_engine.html Regards, Steven Rebello -----Original Message----- From: Serg B. [mailto:serg () dodo com au] Sent: Tuesday, June 01, 2004 7:07 PM To: emanuelez () libero it Cc: webappsec () securityfocus com Subject: Re: SQL Injection Hi, Perhaps you could limit or anticipate charecter set used for users username and passwords and filter out everything else? On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:
Hello Everybody! I recently found out that one of my websites suffered SQL injections like > this: Login: a' OR 'a'='a Password: a' OR 'a'='a I solved the problem checking whether the logon or password variables contained the "'" char... is it safe enough? i checked around the net and > found a recent paper from Imperva but it does not talk about single chars checking... i tried to ude different encodings but that string in UTF-8 is just the same... any hint?
-- Serg B. <serg () dodo com au> MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
- Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
- Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
- Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
- RE: SQL Injection The Crocodile (Jun 06)
- Re: SQL Injection Jeff Williams (Jun 08)
- Re: SQL Injection saphyr (Jun 09)
- RE: SQL Injection The Crocodile (Jun 06)
- Request for comments - French readers saphyr (Jun 08)
- Re: SQL Injection Steven M. Christey (Jun 08)
- RE: SQL Injection Michael Howard (Jun 09)
- RE: SQL Injection or XML gcb33 (Jun 09)