Vulnerability Development mailing list archives
Re: malformed sql queries
From: pgut001 () cs auckland ac nz (Peter Gutmann)
Date: Sun, 30 Dec 2001 16:19:37 +1300 (NZDT)
"JayBonci" <jay () manifestresearch com> writes:
Wrap all your functions and do a $id =~ s/\'/\\\'/g; On your stuff.
That isn't really enough though. At the moment I automatically escape ''', '\', '%', and ';', and also '|' under Windows (wonderful option that last one, try '|shell("cmd /c echo " & chr(124) & " format c:")|' on an ODBC data source). Are there any more which need to be caught? Peter.
Current thread:
- malformed sql queries Gabriel A. Maggiotti (Dec 29)
- Re: malformed sql queries JayBonci (Dec 29)
- Re: malformed sql queries Francois Scala (Dec 30)
- <Possible follow-ups>
- Re: malformed sql queries Peter Gutmann (Dec 29)
- Re: malformed sql queries JayBonci (Dec 29)
- Re: malformed sql queries Peter Gutmann (Dec 29)
- Re: malformed sql queries Blue Boar (Dec 29)
- Re: malformed sql queries Kevin Hegg (Dec 31)