RE: SQL injection (no single quotes used)

[Juan Carlos <johnccr () yahoo com>]

hum...

not sure about this, from a web application
perspective,  all data is handled as plain text, I
mean, even if I encode the information in the URL (for
example) my java web application (for example), always
will get an ' character after calling getParamer. How
can en encoded character "touch" the Web Application
Software? Does the DB manager does decoding as well?.

Cheers
-JC

 --- Michael Howard <mikehow () microsoft com> escribió: 
> From my experience, escaping is often never enough,
> because there a number of attacks that don't use
> quotes (etc) 
>
> I'm not saying escaping quotes is bad, it's just not
> good enough on its own.
>
> [Writing Secure Code]
> http://www.microsoft.com/mspress/books/5957.asp
> [Protect Your PC] http://www.microsoft.com/protect
> [Blog] http://blogs.msdn.com/michael_howard
>
> [On-line Security Training]
> http://mste/training/offerings.asp?TrainingID=53074
>
>
> -----Original Message-----
> From: Adam Tuliper [mailto:amt () gecko-software com] 
> Sent: Tuesday, December 14, 2004 11:30 AM
> To: Juan Carlos Calderon;
> webappsec () securityfocus com
> Subject: Re: SQL injection (no single quotes used)
>
> Michael Howard (and David LeBlanc) has a nice
> section in
> "writing secure code" about encoding characters. In
> some
> cases using char(0x27) as well as using entire words
> encoded via 0xXXXXXXXXXX can be used. Watching for
> "'" is
> not enough.
> I think Michael is on this list.. any words Michael?
>
>
>
> On Thu, 9 Dec 2004 09:53:03 -0600 (CST)
>  Juan Carlos Calderon <johnccr () yahoo com> wrote:
> > Hi all
> >
> > While in Oracle escaping apostrophe (') character
> > seems to be enough protection for Sql Injection (I
> > think is not), this is not true for Sql Server.
> Here a
> > little example I think many of you will find
> useful.
> > For an on-the-fly query like:
> > Query = "select field1, field2... from table where
> id
> > = '" + FixSQL (FieldValue) + "'"
> >
> > Where FixSQL will escape single quotes AKA
> apostrophe,
> > the following value for "FieldValue" will be
> > effective:
> >
> > FieldValue = "(NewLine)GO(NewLine)Desired Sql
> > Sentence(NewLine)GO"
> >
> > Final result is:
> > select field1, field2... from table where id = '
> > GO
> > Desired Sql Sentence
> > GO
> > '
> >
> > Here the MS Documentation for GO Keyword:
> > <snip>
> > SQL Server utilities interpret GO as a signal that
> > they should send the current batch of Transact-SQL
> > statements to SQL Server. The current batch of
> > statements is composed of all statements entered
> since
> > the last GO, or since the start of the ad hoc
> session
> > or script if this is the first GO
> > </snip>
> >
> > So one sentence become three, sentences one and
> three
> > will fail, but sentence two (the one of our
> interest)
> > will execute successfully.
> >
> > Hope you find this interesting
> >
> > Cheers,
> > -JC
_________________________________________________________
> > Do You Yahoo!?
> > Información de Estados Unidos y América Latina, en
> Yahoo!
> > Noticias.
> > Visítanos en http://noticias.espanol.yahoo.com
---------------------------------------------------------------------
> Web mail provided by NuNet, Inc. The Premier
> National provider.
> http://www.nni.com/
>
>  

_________________________________________________________
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com