WebApp Sec mailing list archives

RE: SQL Injection

From: <stevenr () mastek com>
Date: Wed, 2 Jun 2004 13:56:54 +0530

Hi 

The best way would be creating a white list, allowing only defined characters and rejecting everything else. Saves you 
headaches in the long run. Use Regexs for this.

This here is an interesting article 
http://www.aspectsecurity.com/article/bld_HTTP_req_val_engine.html

Regards,
Steven Rebello











-----Original Message-----
From: Serg B. [mailto:serg () dodo com au]
Sent: Tuesday, June 01, 2004 7:07 PM
To: emanuelez () libero it
Cc: webappsec () securityfocus com
Subject: Re: SQL Injection


Hi, 

Perhaps you could limit or anticipate charecter set used for users
username and passwords and filter out everything else?


On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:

Hello Everybody!
I recently found out that one of my websites suffered SQL injections like > this:

Login: a' OR 'a'='a
Password: a' OR 'a'='a

I solved the problem checking whether the logon or password variables 
contained the "'" char... is it safe enough? i checked around the net and > found a recent paper from Imperva but it 
does not talk about single chars 
checking... i tried to ude different encodings but that string in UTF-8 is 
just the same... any hint?

-- 
Serg B. <serg () dodo com au>



MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically 
indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and 
attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended 
person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any 
action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This 
e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the 
recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in 
error, kindly delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Current thread:

SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
  - Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
  - Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
  - Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
  - RE: SQL Injection The Crocodile (Jun 06)
    - Re: SQL Injection Jeff Williams (Jun 08)
    - Re: SQL Injection saphyr (Jun 09)
  - Request for comments - French readers saphyr (Jun 08)
- Re: SQL Injection Steven M. Christey (Jun 08)
- RE: SQL Injection Michael Howard (Jun 09)
  - RE: SQL Injection or XML gcb33 (Jun 09)

(Thread continues...)