Re: SQL injection after Replace("'", "''")?

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 10/12/05

• Next message: helmut woess: "Re: Is there any way to prevent hacker trying to guess sa password?"
• Previous message: Ken Schaefer: "Re: Is there any way to prevent hacker trying to guess sa password?"
• Maybe in reply to: Dan Guzman: "Re: SQL injection after Replace("'", "''")?"
• Next in thread: Phil Simpson: "Re: SQL injection after Replace("'", "''")?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 12 Oct 2005 14:39:16 +1000

Here's a kinda contrived example that doesn't involve ' . You have a query:

SELECT ProductName FROM Products WHERE ProductID = ?

and someone supplies:

1 UNION SELECT UserPassword FROM Users WHERE UserName = 'Administrator'

Your code to escape ' won't really help much. You need code to validate that
the value supplied for ? is actually an integer rather than a string.

And so it goes on. Dan's suggestion of using parametised queries is a good
one - do that if you can. Trying to filter for known bad input is a losing
battle unless you spend some time (and continue to spend time) keeping up to
date with all the latest threats.

Cheers
Ken

"BeanDog" <BeanDog@discussions.microsoft.com> wrote in message
news:FF12356F-543B-4E0A-B6AF-588B9360E647@microsoft.com...
: I'm just beginning my database programming. I've done a little bit of
: research on security, just to get an idea of what's out there, and of
course
: I came across SQL injection.
:
: I've thought about it, and I can't seem to come to a conclusion: If I
: replace all ' characters in user-inputted parameters with '', is there
still
: a way for a malicious user to run arbitrary SQL code in my ad-hoc query?
:
: Stored procedures are out of the question. I'm just curious why any other
: measure of security against this threat is required.
:
:
:
: ~BenDilts( void );

• Next message: helmut woess: "Re: Is there any way to prevent hacker trying to guess sa password?"
• Previous message: Ken Schaefer: "Re: Is there any way to prevent hacker trying to guess sa password?"
• Maybe in reply to: Dan Guzman: "Re: SQL injection after Replace("'", "''")?"
• Next in thread: Phil Simpson: "Re: SQL injection after Replace("'", "''")?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: displaying additional data that correlates to my query ... One approach would be to take the result of your GROUP BY query and do an ... the same ProductName have the same minimum TargetDifference. ... SELECT [Flux Density Query].ProductName,MIN([Flux Density ... (microsoft.public.access.queries) Re: Limit field choices based on another field ... I'm not making sense of the SQL statement. ... ProductName ... Allen Browne - Microsoft MVP. ... > created the stored query: ... (microsoft.public.access.formscoding) displaying additional data that correlates to my query ... ProductName, Voltage, Current, Peak, TargetDifference ... I have created an additional query to retrieve the Peak that is closest to ... (microsoft.public.access.queries) RE: QUERY DESIGN HELP ... which custId, productName, categoryName the customer wants to be listed under. ... At the moment I have a query that pulls all this info together. ... (microsoft.public.access.queries) Re: Dialog Form ... Your underlying form can then be bound to this table or a query based on the ... Your find form can then be a small popup form with a combobox based on a query ... based on TblProduct sorted by Productname. ... (microsoft.public.access.formscoding)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint