Re: how to protect web server against SQL Injection ?
From: Yunus Emre ALPÖZEN (yemre_at_msakademik.net)
Date: 02/04/05
- Next message: hoz: "Re: how to protect web server against SQL Injection ?"
- Previous message: Ken Schaefer: "Re: how to protect web server against SQL Injection ?"
- In reply to: Andy G: "Re: how to protect web server against SQL Injection ?"
- Next in thread: Ken Schaefer: "Re: how to protect web server against SQL Injection ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 4 Feb 2005 09:18:18 +0200
I don't agree with you. What happens if user try injection with escaped
characters??? It depends on your database management system. Assume that
your DBMS uses \ as escaped character. But just think about \' character.
Your code will change this string as follows \'' which is valid for sql
injection.
To test SQL Injection generally use something like this:
a' OR 1=1--
For your case, it becomes as a\' OR 1=1
And also i would like to ask something to Ken Schaefer. Is there any example
that stored procedures are not enough?
In MSDN TV, I watched something about MS SQL Server which introduces stored
procedures as a unique solution for sql injection attacks.. Are u sure?
--
Thanks,
Yunus Emre ALPÖZEN
"Andy G" <ajgould@iastate.edu> wrote in message
news:eI19wEjCFHA.3592@TK2MSFTNGP09.phx.gbl...
> Here is something to look at, I call this function and pass the typed in
> username and password to this function before hashing, calling any stored
> procedures, and doing any authentication that you might be doing. I think
> someone else passed this on to me previously....
>
> Public Function SafeSqlLikeClauseLiteral(ByVal inputSQL As String) As
> String
>
> ' Make the following replacements:
>
> ' ' becomes ''
>
> ' [ becomes [[]
>
> ' % becomes [%]
>
> ' _ becomes [_]
>
> Dim s As String = inputSQL
>
> s = inputSQL.Replace("'", "''")
>
> s = s.Replace("[", "[[]")
>
> s = s.Replace("%", "[%]")
>
> s = s.Replace("_", "[_]")
>
> Return (s)
>
> End Function
>
>
>
>
>
> "hoz" <ask@me.com> wrote in message
> news:OHgjZ%23QCFHA.3092@TK2MSFTNGP10.phx.gbl...
>> Thanks for your answer .
>> I think i have already solved my question at the begining , using sp's
>>
>> "Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
>> news:ONpm0pNCFHA.3504@TK2MSFTNGP12.phx.gbl...
>> > Use parametised queries and stored procedures. As long as you don't
>> execute
>> > (using Exec()) arbitrary strings in your sprocs, you should be fine.
>> >
>> > Cheers
>> > Ken
>> >
>> >
>> > "hoz" <ask@me.com> wrote in message
>> > news:edVOgd4BFHA.1452@TK2MSFTNGP11.phx.gbl...
>> > > Hi ,
>> > > i have already used sp but i am not sure if this would be
>> > > sufficient.
>> > > I am going to read your articles .
>> > > Saygilarla
>> > > Hasan
>> > > "Yunus Emre ALPÖZEN" <yemre@msakademik.net> wrote in message
>> > > news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...
>> > >> just use stored procedures.. It is a certain solution...
>> > >>
>> > >> --
>> > >> Thanks,
>> > >> Yunus Emre ALPÖZEN
>> > >>
>> > >>
>> > >>
>> > >> "hoz" <ask@me.com> wrote in message
>> > >> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...
>> > >> >i didnt find any information where to start . please write
>> > >> >something
>> > >> >
>> > >> >
>> > >>
>> > >>
>> > >
>> > >
>> >
>> >
>>
>>
>
>
- Next message: hoz: "Re: how to protect web server against SQL Injection ?"
- Previous message: Ken Schaefer: "Re: how to protect web server against SQL Injection ?"
- In reply to: Andy G: "Re: how to protect web server against SQL Injection ?"
- Next in thread: Ken Schaefer: "Re: how to protect web server against SQL Injection ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
