WebApp Sec mailing list archives
Re: Strange beaviour in sql injection
From: Mariusz Pekala <skoot () poczta onet pl>
Date: Sat, 30 Nov 2002 21:26:20 +0100
Dennis Hurst (wto 29. październik 2002 15:06):
The proper way to do it would have been: if IsNumeric(Request("passedID")) then 'all is well, build the SQL sSql = "select * from myTable where ID = " & cstr(clng(Request("passedID"))) 'do some database stuff here else 'go away, your doing something bad.... end if Using the cstr(CLng()) functions will convert it to a numeric and back again, effectively Removing the SQL Injection.
Why not using a regular expression on raw request data? /^[0-9]{1,8}$/ (or similiar, depends on language of the application) should ensure that you'r dealing with numeric. (integer, if that's what you need). I may be wrong, or may not understand it all, but I would rather not trust functions that convert. They sometimes ignore/modify/guess. If I check that the string my webapp received contains only numbers, and not more than 9, then I may be SURE that there is no SQL injection here. (Be gentle if I am saying something stupid or didn't understood what was going on :-))) )
Current thread:
- Strange beaviour in sql injection Securityinfos (Oct 29)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)
- Re: Strange beaviour in sql injection Mariusz Pekala (Nov 30)
- Re: Strange beaviour in sql injection Kevin Spett (Oct 29)
- <Possible follow-ups>
- RE: Strange beaviour in sql injection Brass, Phil (ISS Atlanta) (Oct 30)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)