|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: SQL Injection Basics
Date: Tue Feb 11 2003 - 10:35:50 EST
[Taco Fleur]
| SQL Injection works only when
It's not just the tick marks, it's any character with special meaning to the database in the context of which data is inserted.
Consider a system talking to PostgreSQL (or MySQL or any other database that accepts C-style backslash escapes in string constants). If the developer just thinks about the ticks, he may (given ASP/VBScript) do the following:
userName = Request.Form("username")
userNameSQL = "'" & Replace(userName, "'", "''") & "'"
query = "SELECT * FROM Usr WHERE UserName=" & userNameSQL
The code doubles all ticks when inserting the incoming data in an SQL string constant.
Now an attacker who knows more about PostgreSQL (or other bla bla) than the developer, may make the username parameter look like this:
\'; DELETE FROM Usr --
The final query being sent to the database will, given doubling of ticks, look like this:
SELECT * FROM Usr WHERE UserName='\''; DELETE FROM Usr --'
Notice how the backslash inserted by the attacker in effect escapes one of the two ticks, opening up for the nastyness the developer tried to prevent.
The bottom line: If using data-passing methods that combine data with control information (e.g. dynamic SQL rather than prepared statements), the developer will need to have a _full_ understanding of _every_ metacharacter supported by the database for the context in which the data is inserted.
Sverre.
-- shh@thathost.com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/Received on Tue Feb 11 11:55:30 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |