WebApp Sec mailing list archives
RE: SQL Injection
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Tue, 1 Jun 2004 16:27:32 -0400
What if their name was O'Henry? Security must be paramount to the developer, but invisible to the client. Best choice: parameterized queries. Second best: have a stored procedure make the modification. Third: filter IN good characters. Forth: filter OUT bad characters. Since I started using parameterized queries (via Java's PreparedStatement object), I haven't run into a single SQL injection issue. My hat's off to the developers for a clean, easy to use interface. IMHO, this is the way of the 'future'-- addslashes() and other hacks are always going to suffer from special cases that get missed, or DBMS oddities like strange escape sequences. Michael Scovetta Computer Associates Application Developer
-----Original Message----- From: Serg B. [mailto:serg () dodo com au] Sent: Tuesday, June 01, 2004 9:37 AM To: emanuelez () libero it Cc: webappsec () securityfocus com Subject: Re: SQL Injection Hi, Perhaps you could limit or anticipate charecter set used for users username and passwords and filter out everything else? On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:Hello Everybody! I recently found out that one of my websites suffered SQL injectionslikethis: Login: a' OR 'a'='a Password: a' OR 'a'='a I solved the problem checking whether the logon or password
variables
contained the "'" char... is it safe enough? i checked around the
net
andfound a recent paper from Imperva but it does not talk about singlecharschecking... i tried to ude different encodings but that string in
UTF-8
isjust the same... any hint?-- Serg B. <serg () dodo com au>
Current thread:
- SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
- Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
- Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
- Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
- RE: SQL Injection The Crocodile (Jun 06)
- Re: SQL Injection Jeff Williams (Jun 08)
- Re: SQL Injection saphyr (Jun 09)
- RE: SQL Injection The Crocodile (Jun 06)
- Request for comments - French readers saphyr (Jun 08)