Re: SQL Injection

[RSnake <rsnake () shocking com>]

        What about normalizing the data first?

a' OR 'a'='a

becomes:

a'&#32OR&#32'a'='a

        Then you can use that string as the password, which will have no effect
on the select string.  Then that string can contain anything and it will not
negatively effect your database.

        Or, better yet, don't allow any special charachters in the username
field (other than @ and . and - if you allow email addresses) and hash the
password PRIOR to doing select statements against it in the database.  You
shouldn't store the plaintext password anyway.

On Tue, 1 Jun 2004, Serg B. wrote:

| Date: Tue, 01 Jun 2004 23:36:54 +1000
| From: Serg B. <serg () dodo com au>
| To: emanuelez () libero it
| Cc: webappsec () securityfocus com
| Subject: Re: SQL Injection
|
| Hi,
|
| Perhaps you could limit or anticipate charecter set used for users
| username and passwords and filter out everything else?
|
|
| On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:
| > Hello Everybody!
| > I recently found out that one of my websites suffered SQL injections like
| > this:
| >
| > Login: a' OR 'a'='a
| > Password: a' OR 'a'='a
| >
| > I solved the problem checking whether the logon or password variables
| > contained the "'" char... is it safe enough? i checked around the net and
| > found a recent paper from Imperva but it does not talk about single chars
| > checking... i tried to ude different encodings but that string in UTF-8 is
| > just the same... any hint?
| --
| Serg B. <serg () dodo com au>
|

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.