WebApp Sec mailing list archives
Re: SQL Injection
From: RSnake <rsnake () shocking com>
Date: Tue, 1 Jun 2004 13:13:14 -0700 (PDT)
What about normalizing the data first? a' OR 'a'='a becomes: a' OR 'a'='a Then you can use that string as the password, which will have no effect on the select string. Then that string can contain anything and it will not negatively effect your database. Or, better yet, don't allow any special charachters in the username field (other than @ and . and - if you allow email addresses) and hash the password PRIOR to doing select statements against it in the database. You shouldn't store the plaintext password anyway. On Tue, 1 Jun 2004, Serg B. wrote: | Date: Tue, 01 Jun 2004 23:36:54 +1000 | From: Serg B. <serg () dodo com au> | To: emanuelez () libero it | Cc: webappsec () securityfocus com | Subject: Re: SQL Injection | | Hi, | | Perhaps you could limit or anticipate charecter set used for users | username and passwords and filter out everything else? | | | On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote: | > Hello Everybody! | > I recently found out that one of my websites suffered SQL injections like | > this: | > | > Login: a' OR 'a'='a | > Password: a' OR 'a'='a | > | > I solved the problem checking whether the logon or password variables | > contained the "'" char... is it safe enough? i checked around the net and | > found a recent paper from Imperva but it does not talk about single chars | > checking... i tried to ude different encodings but that string in UTF-8 is | > just the same... any hint? | -- | Serg B. <serg () dodo com au> | -R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Current thread:
- SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
- Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
- Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
- Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
- RE: SQL Injection The Crocodile (Jun 06)
- Re: SQL Injection Jeff Williams (Jun 08)
- RE: SQL Injection The Crocodile (Jun 06)
(Thread continues...)