Re: Preventing ALL text SQL Injection by removing single-quotes ?

• Previous message: Phil Turtle: "NETWORK SERVICE Account and sp_add_job problem"
• In reply to: Mark J. McGinty: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
• Next in thread: Mercury: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 11 Jul 2005 23:44:25 +1200

Well I started out the other day writing down a list from the sql server
perspective, but they all seem to start with the programmer making a
blunder. There are so many ways you can facilitate your site getting hacked
that it is really quite absurd. This is where a lot of the challenge exists.
If ever in the design of the system someone has said "It will never do such
and such" so you haven't coded defensively for the day you will have say
multiple sites on the one server (as an EG) then you have introduced time
bombs.

The most important thing about security is like so many things - expend your
effort where it will have most benefit.

I suggest you check your program code and ensure that no strings can
overflow buffers, that you use parameterised queries, that you check every
string not just for single quotes but also script and other HTML tags, for
code that can be evaluated to quotes, script, or html, that wherever
possible you remove as much need for free text entry as you can, do not
reflect errors verbatum back to the user - IE avoid replay attacks - do not
store data ever without sanitising it, do not show data with it being
santised (again), make everything as type safe as possible, normalise your
database properly, use maximum error and warning reporting when compiling,
use proper error handling, test the system thoroughly, try to break it, do
not accept warnings during compiles, and so on.

Add to that, use a DMZ, secure your web server, secure your database server,
enforce strong security... strong passwords,... I think you get the idea.

Now, look at your original question and ask yourself "was it responsible"?
Or do you think you can now check off the single quote character in
isolation? It is never a done task.

I suggest you re-read John's answer and references as a starter.

"Mark J. McGinty" <mmcginty@spamfromyou.com> wrote in message
news:uX1WrSUhFHA.3256@TK2MSFTNGP12.phx.gbl...
>
> "Susan S via SQLMonster.com" <forum@SQLMonster.com> wrote in message
> news:510817BAE9A30@SQLMonster.com...
>> John... that wasn't the question at all.
>>
>> I *DO* have a need to search for text without containing any
>> single-quotes.
>> (I couldn't possible have a dropdown box with 1000 different searches in
>> it.)
>>
>> Why not simple say "I don't know" instead of answering a totally
>> different
>> question?
>
> You don't provide us with an example of your code that builds dynamic SQL
> so we can only guess as to what might or might not work. Have you
> considered char(39) being mixed in somehow?
>
> But the larger question is, what is your aversion to parameterizing your
> queries? If you were truly concerned about SQL injection, that's the
> route you would go. Will you feel safe if nobody here can come up with an
> example? Will that mean that it can't be done? You'd learn more hanging
> out in hacker's circles, if that is your approach..
>
> So, sorry if it offends you, and I'll admit that "I don't know" of a
> specific example, but the real answer to your rhetorical question is:
> parameterize, then you won't need to worry about it, there are no reasons
> it can't be done, only excuses.
>
>
> Good Luck,
> Mark
>
>
>
>
>
>> John Bell wrote:
>>>Hi
>>>
>>>You are assuming a certain business rule is applied which is probably
>>>quite rare. You may be able to provide dropdowns if your values are so
>>>specific and remove the need to type in anything!!
>>>
>>>The parameterised query option is generic and can cater for all
>>>sutuations, it should also be fast.
>>>
>>>John
>
>

• Previous message: Phil Turtle: "NETWORK SERVICE Account and sp_add_job problem"
• In reply to: Mark J. McGinty: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
• Next in thread: Mercury: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Fulltext failure on a 2 node cluster ... Server full-text search resource online: "SQL Cluster Resource 'Full Text' ... (microsoft.public.sqlserver.clustering) Re: HELP PLEASE ~ ??? ... You mentioned that it went ahead and added a SQL ... SQL Server 2000 database for all my data. ... find the connectionString in the newly recreated SQLExpress database. ... The connection string specifies a local Sql Server Express instance ... (microsoft.public.dotnet.framework.aspnet) Re: Multi-Channel Raid VS SAN Storage ... A 5~6 years old server is a very old server. ... As I mentioned, the server is one node in a cluster environment, and SQL is ... We actually are running RAID 1+0 and our aplication is definately more ... needs it's own SAN device, or at least a dedicated IO channel on the SAN. ... (microsoft.public.sqlserver.setup) RE: How do I get back to base SQL server on my SBS 2003 server? ... After you uninstall SQL 2005, the instance which you upgraded will not go ... Uninstall and then reinstall ISA server. ... Uninstall and then reinstall the Monitoring component. ... Tools to Maintenance, change Monitoring component to Install, and then ... (microsoft.public.windows.server.sbs) Re: Multi-Channel Raid VS SAN Storage ... A 5~6 years old server is a very old server. ... As I mentioned, the server is one node in a cluster environment, and SQL is ... We actually are running RAID 1+0 and our aplication is definately more ... needs it's own SAN device, or at least a dedicated IO channel on the SAN. ... (microsoft.public.sqlserver.setup)