Re: Preventing ALL text SQL Injection by removing single-quotes ?
From: Mercury (me_at_spam.com)
Date: 07/12/05
- Next message: Gabe Matteson: "Give Permissions to user to execute Jobs"
- Previous message: Mark J. McGinty: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- In reply to: Susan S via SQLMonster.com: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Next in thread: Susan S via SQLMonster.com: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Reply: Susan S via SQLMonster.com: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Jul 2005 22:52:48 +1200
depends on the language and environment.
that is what you do not get.
For exmple, 's' comes from a function upposedly from a UI (?)
Tht is bad assumption #1.
Now, if s is an instance of a class in say C++ and = is an overloaded
operator then what happens?
What happens if you take HTML from a text field and store it as HTML with
all its flavours of coding, then display it later? Your Replace function can
then be bypassed. What hppens if you store HTML and another app does not
know this?
There are so many things that can happen you have to have an OPEN mind that
can accept Anything going wrong Anywhere. How do you know your replace
function will be executed? How do you know an admin will not do a binary
patch on your s/w to bypass the replace to open a back door? People do that
all the time to crack CD keys.
You need to start thinking in terms of Layers of defence. What happens if
you FORGET a Replace?
"Susan S via SQLMonster.com" <forum@SQLMonster.com> wrote in message
news:5131626AFB930@SQLMonster.com...
> Wow.. it was just *ONE* simple request:
>
> Post some *ACTUAL* code... that can cause SQL injection... where *ALL*
> single
> quote
> characters have been removed from the string input by the user.
>
> Seems like everyone is talking about eveything *OTHER* than that 1 simple
> request.:
>
>> Why not use another method instead?
>> Why not fully secure your servers instead?
>> Why not post your code?
>> What are you using this for?
>> You might needs users to enter single quotes some day.
>> Why not write/use long parameterized methods instead?
>> What if it's an INT, not a VarChar field?
>> Why don't you go back and change 1000s of lines of code that you already
>> wrote?
>> Let's talk about some totally different problems, instead of this one.
>
> Sheezesss. That wasn't the question here. Here it is again:
>
> s = GetUsersString() ' Get the input
> s = Replace(s, "'", "") ' Remove all single-quotes
> sql = "SELECT * FROM MyTable WHERE MyField='" & s & "'" ' Execute this
>
> The Question:
> In *ONE* line... without *ANY* explaination... what text would the user
> enter
> as a value for "s",
> that would break the above code sample?
>
> So simple. No one can answer that? Or prove it can't be done?
>
>
> --
> Message posted via SQLMonster.com
> http://www.sqlmonster.com/Uwe/Forums.aspx/sql-server-security/200507/1
- Next message: Gabe Matteson: "Give Permissions to user to execute Jobs"
- Previous message: Mark J. McGinty: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- In reply to: Susan S via SQLMonster.com: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Next in thread: Susan S via SQLMonster.com: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Reply: Susan S via SQLMonster.com: "Re: Preventing ALL text SQL Injection by removing single-quotes ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
