Re: how to protect web server against SQL Injection ?

From: Yunus Emre ALP÷ZEN (yemre_at_msakademik.net)
Date: 02/04/05


Date: Fri, 4 Feb 2005 09:18:18 +0200

I don't agree with you. What happens if user try injection with escaped
characters??? It depends on your database management system. Assume that
your DBMS uses \ as escaped character. But just think about \' character.
Your code will change this string as follows \'' which is valid for sql
injection.
To test SQL Injection generally use something like this:
    a' OR 1=1--
For your case, it becomes as a\' OR 1=1

And also i would like to ask something to Ken Schaefer. Is there any example
that stored procedures are not enough?

In MSDN TV, I watched something about MS SQL Server which introduces stored
procedures as a unique solution for sql injection attacks.. Are u sure?

-- 
Thanks,
Yunus Emre ALP÷ZEN
"Andy G" <ajgould@iastate.edu> wrote in message 
news:eI19wEjCFHA.3592@TK2MSFTNGP09.phx.gbl...
> Here is something to look at, I call this function and pass the typed in
> username and password to this function before hashing, calling any stored
> procedures, and doing any authentication that you might be doing.  I think
> someone else passed this on to me previously....
>
> Public Function SafeSqlLikeClauseLiteral(ByVal inputSQL As String) As 
> String
>
> ' Make the following replacements:
>
> ' ' becomes ''
>
> ' [ becomes [[]
>
> ' % becomes [%]
>
> ' _ becomes [_]
>
> Dim s As String = inputSQL
>
> s = inputSQL.Replace("'", "''")
>
> s = s.Replace("[", "[[]")
>
> s = s.Replace("%", "[%]")
>
> s = s.Replace("_", "[_]")
>
> Return (s)
>
> End Function
>
>
>
>
>
> "hoz" <ask@me.com> wrote in message
> news:OHgjZ%23QCFHA.3092@TK2MSFTNGP10.phx.gbl...
>> Thanks for your answer .
>> I think i have already solved my question at the begining , using sp's
>>
>> "Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
>> news:ONpm0pNCFHA.3504@TK2MSFTNGP12.phx.gbl...
>> > Use parametised queries and stored procedures. As long as you don't
>> execute
>> > (using Exec()) arbitrary strings in your sprocs, you should be fine.
>> >
>> > Cheers
>> > Ken
>> >
>> >
>> > "hoz" <ask@me.com> wrote in message
>> > news:edVOgd4BFHA.1452@TK2MSFTNGP11.phx.gbl...
>> > > Hi ,
>> > > i have already used sp but  i am not sure if this would be 
>> > > sufficient.
>> > > I am going to read  your articles .
>> > > Saygilarla
>> > > Hasan
>> > > "Yunus Emre ALP÷ZEN" <yemre@msakademik.net> wrote in message
>> > > news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...
>> > >> just use stored procedures.. It is a certain solution...
>> > >>
>> > >> -- 
>> > >> Thanks,
>> > >> Yunus Emre ALP÷ZEN
>> > >>
>> > >>
>> > >>
>> > >> "hoz" <ask@me.com> wrote in message
>> > >> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...
>> > >> >i didnt find any information where to start . please write 
>> > >> >something
>> > >> >
>> > >> >
>> > >>
>> > >>
>> > >
>> > >
>> >
>> >
>>
>>
>
> 


Relevant Pages

  • [NT] Multiple .NET NULL Byte Injection Vulnerabilities (MS07-040)
    ... Get your security news from a reliable source. ... Multiple .NET NULL Byte Injection Vulnerabilities ... through String Termination vulnerabilities. ...
    (Securiteam)
  • Multiple .NET Null Byte Injection Vulnerabilities
    ... .NET namespace are vulnerable to Null byte injection attacks. ... Three of the discovered vulnerabilities allow strings to be ... arbitrary terminated through String Termination vulnerabilities. ... if a user supplies a recipient variable as ...
    (Bugtraq)
  • [Full-disclosure] Multiple .NET Null Byte Injection Vulnerabilities
    ... .NET namespace are vulnerable to Null byte injection attacks. ... Three of the discovered vulnerabilities allow strings to be ... arbitrary terminated through String Termination vulnerabilities. ... if a user supplies a recipient variable as ...
    (Full-Disclosure)
  • Re: PHP filter function against SQL injections
    ... what if a must be an integer and not a string? ... your resulting injection string would be ... but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack. ...
    (Security-Basics)
  • RE: Paper: SQL Injection Attacks by Example
    ... I believe changing to stored procedures is good not just because it's ... Using stored procedures will *not* protect you from SQL injection attacks. ...
    (Bugtraq)