Vulnerability Development mailing list archives

Re: malformed sql queries

From: pgut001 () cs auckland ac nz (Peter Gutmann)
Date: Sun, 30 Dec 2001 16:19:37 +1300 (NZDT)

"JayBonci" <jay () manifestresearch com> writes:

Wrap all your functions and do a $id =~ s/\'/\\\'/g; On your stuff.


That isn't really enough though.  At the moment I automatically escape ''',
'\', '%', and ';', and also '|' under Windows (wonderful option that last one,
try '|shell("cmd /c echo " & chr(124) & " format c:")|' on an ODBC data
source).  Are there any more which need to be caught?

Peter.

Current thread:

malformed sql queries Gabriel A. Maggiotti (Dec 29)
- Re: malformed sql queries JayBonci (Dec 29)
- Re: malformed sql queries Francois Scala (Dec 30)
- <Possible follow-ups>
- Re: malformed sql queries Peter Gutmann (Dec 29)
  - Re: malformed sql queries JayBonci (Dec 29)
- Re: malformed sql queries Peter Gutmann (Dec 29)
  - Re: malformed sql queries Blue Boar (Dec 29)
- Re: malformed sql queries Kevin Hegg (Dec 31)