RE: SQL Injection

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

What if their name was O'Henry? Security must be paramount to the
developer, but invisible to the client. Best choice: parameterized
queries. Second best: have a stored procedure make the modification.
Third: filter IN good characters. Forth: filter OUT bad characters.

Since I started using parameterized queries (via Java's
PreparedStatement object), I haven't run into a single SQL injection
issue. My hat's off to the developers for a clean, easy to use
interface. 

IMHO, this is the way of the 'future'-- addslashes() and other hacks are
always going to suffer from special cases that get missed, or DBMS
oddities like strange escape sequences.

Michael Scovetta
Computer Associates
Application Developer

> -----Original Message-----
> From: Serg B. [mailto:serg () dodo com au]
> Sent: Tuesday, June 01, 2004 9:37 AM
> To: emanuelez () libero it
> Cc: webappsec () securityfocus com
> Subject: Re: SQL Injection
>
> Hi,
>
> Perhaps you could limit or anticipate charecter set used for users
> username and passwords and filter out everything else?
>
>
> On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:
> > Hello Everybody!
> > I recently found out that one of my websites suffered SQL injections
> like
> > this:
> >
> > Login: a' OR 'a'='a
> > Password: a' OR 'a'='a
> >
> > I solved the problem checking whether the logon or password
variables
> > contained the "'" char... is it safe enough? i checked around the
net
> and
> > found a recent paper from Imperva but it does not talk about single
> chars
> > checking... i tried to ude different encodings but that string in
UTF-8
> is
> > just the same... any hint?
> --
> Serg B. <serg () dodo com au>