RE: SQL injection (no single quotes used)

[Michael Silk <michaelsilk () gmail com>]

 Juan,

 I could not reproduce for SQL Server 2000.

 Perhaps what you are observing has something to do with quoted
identifiers? (http://www.sqlteam.com/item.asp?ItemID=1649).

-- Michael

> -----Original Message-----
> From: Juan Carlos Calderon [mailto:johnccr () yahoo com] 
> Sent: Friday, 10 December 2004 2:53 AM
> To: webappsec () securityfocus com
> Subject: SQL injection (no single quotes used)
>
> Hi all
>
> While in Oracle escaping apostrophe (') character seems to be 
> enough protection for Sql Injection (I think is not), this is 
> not true for Sql Server. Here a little example I think many 
> of you will find useful.
>
> For an on-the-fly query like:
> Query = "select field1, field2... from table where id = '" + 
> FixSQL (FieldValue) + "'"
>
> Where FixSQL will escape single quotes AKA apostrophe, the 
> following value for "FieldValue" will be
> effective:
>
> FieldValue = "(NewLine)GO(NewLine)Desired Sql Sentence(NewLine)GO"
>
> Final result is:
> select field1, field2... from table where id = '
> GO
> Desired Sql Sentence
> GO
> '
>
> Here the MS Documentation for GO Keyword:
> <snip>
> SQL Server utilities interpret GO as a signal that they 
> should send the current batch of Transact-SQL statements to 
> SQL Server. The current batch of statements is composed of 
> all statements entered since the last GO, or since the start 
> of the ad hoc session or script if this is the first GO </snip>
>
> So one sentence become three, sentences one and three will 
> fail, but sentence two (the one of our interest) will execute 
> successfully.
>
> Hope you find this interesting
>
> Cheers,
> -JC
>
> _________________________________________________________
> Do You Yahoo!?
> Información de Estados Unidos y América Latina, en Yahoo! Noticias.
> Visítanos en http://noticias.espanol.yahoo.com