Re: Preventing ALL text SQL Injection by removing single-quotes ?
From: Mark J. McGinty (mmcginty_at_spamfromyou.com)
Date: 07/10/05
- Previous message: Norman Seymore: "Cleaning up hung groups and orphans in SQL 6.5"
- In reply to: Susan S via SQLMonster.com: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Next in thread: Mercury: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Reply: Mercury: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Reply: Mercury: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 10 Jul 2005 04:46:06 -0700
"Susan S via SQLMonster.com" <forum@SQLMonster.com> wrote in message
news:510817BAE9A30@SQLMonster.com...
> John... that wasn't the question at all.
>
> I *DO* have a need to search for text without containing any
> single-quotes.
> (I couldn't possible have a dropdown box with 1000 different searches in
> it.)
>
> Why not simple say "I don't know" instead of answering a totally different
> question?
You don't provide us with an example of your code that builds dynamic SQL so
we can only guess as to what might or might not work. Have you considered
char(39) being mixed in somehow?
But the larger question is, what is your aversion to parameterizing your
queries? If you were truly concerned about SQL injection, that's the route
you would go. Will you feel safe if nobody here can come up with an
example? Will that mean that it can't be done? You'd learn more hanging
out in hacker's circles, if that is your approach..
So, sorry if it offends you, and I'll admit that "I don't know" of a
specific example, but the real answer to your rhetorical question is:
parameterize, then you won't need to worry about it, there are no reasons it
can't be done, only excuses.
Good Luck,
Mark
> John Bell wrote:
>>Hi
>>
>>You are assuming a certain business rule is applied which is probably
>>quite rare. You may be able to provide dropdowns if your values are so
>>specific and remove the need to type in anything!!
>>
>>The parameterised query option is generic and can cater for all
>>sutuations, it should also be fast.
>>
>>John
- Previous message: Norman Seymore: "Cleaning up hung groups and orphans in SQL 6.5"
- In reply to: Susan S via SQLMonster.com: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Next in thread: Mercury: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Reply: Mercury: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Reply: Mercury: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
