WebApp Sec mailing list archives

Re: SQL Injection

From: David Cameron <david () uberconcept com>
Date: Wed, 02 Jun 2004 18:34:14 +1000

The other thing to be aware of in SQL injection is when someone insertsa string where you expect an integer. This also tends to be caught whenusing parameterised queries as they are strongly typed. If you aren'tusing parameterised queried (and why aren't you), strong type checkingis a must. An example of where this might be a problem:


SELECT *
FROM MyTable
WHERE SomeGRoupID = @Val

If the value 'SomeGRoupID' (without the quotes) were inserted, allvalues would be returned. I think you can see the possibilities of thisapproach.


regards
David Cameron


Scovetta, Michael V wrote:

What if their name was O'Henry? Security must be paramount to the
developer, but invisible to the client. Best choice: parameterized
queries. Second best: have a stored procedure make the modification.
Third: filter IN good characters. Forth: filter OUT bad characters.

Since I started using parameterized queries (via Java's
PreparedStatement object), I haven't run into a single SQL injection
issue. My hat's off to the developers for a clean, easy to use

interface.

IMHO, this is the way of the 'future'-- addslashes() and other hacks are
always going to suffer from special cases that get missed, or DBMS
oddities like strange escape sequences.

Michael Scovetta
Computer Associates
Application Developer

-----Original Message-----
From: Serg B. [mailto:serg () dodo com au]
Sent: Tuesday, June 01, 2004 9:37 AM
To: emanuelez () libero it
Cc: webappsec () securityfocus com
Subject: Re: SQL Injection

Hi,

Perhaps you could limit or anticipate charecter set used for users
username and passwords and filter out everything else?

On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:

Hello Everybody!
I recently found out that one of my websites suffered SQL injections


like

this:

Login: a' OR 'a'='a
Password: a' OR 'a'='a

I solved the problem checking whether the logon or password


variables

contained the "'" char... is it safe enough? i checked around the

net

and

found a recent paper from Imperva but it does not talk about single


chars

checking... i tried to ude different encodings but that string in


UTF-8

is

just the same... any hint?


--
Serg B. <serg () dodo com au>

Current thread:

SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
  - Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
  - Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
  - Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
  - RE: SQL Injection The Crocodile (Jun 06)
    - Re: SQL Injection Jeff Williams (Jun 08)
    - Re: SQL Injection saphyr (Jun 09)
  - Request for comments - French readers saphyr (Jun 08)
- Re: SQL Injection Steven M. Christey (Jun 08)

(Thread continues...)