473,543 Members | 2,497 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

sql injection

gdp
hi...when guarding against sql injection attack from modified form or
querystring variables is it enough to strip out just apostrophes...i f the
variable USERNAME is the name of a text box passed to a script is the below
always safe...

q1="select * from TABLENAME where username='" &
trim(replace(re quest("USERNAME "),"'","''" )) & "'"

thankyou for all help given

regards

gdp
Jul 19 '05 #1
5 2360
In my opinion, this should pretty much solve the common SQL injection
attacks. The following document seems to agree, plus has extensive coverage
on the topic:

http://www.nextgenss.com/papers/adva..._injection.pdf

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
"gdp" <gp********@blu eyonder.co.uk> wrote in message
news:rq******** *******@news-binary.blueyond er.co.uk...
hi...when guarding against sql injection attack from modified form or
querystring variables is it enough to strip out just apostrophes...i f the
variable USERNAME is the name of a text box passed to a script is the below always safe...

q1="select * from TABLENAME where username='" &
trim(replace(re quest("USERNAME "),"'","''" )) & "'"

thankyou for all help given

regards

gdp

Jul 19 '05 #2
Not necessarily, there are other obscure scenarios, usually surrounding
techniques you shouldn't be using anyway. Imagine this:

CREATE PROCEDURE dbo.getfoo
@tablename VARCHAR(32)
AS
BEGIN
SET NOCOUNT ON
EXEC('SELECT * FROM '+@tablename)
END
GO

Then from ASP:

<%
set rs = conn.execute("E XEC dbo.foo '" &
request.queryst ring("tablename ") & "'")
%>

Then hit this with:

http://www.yoursite.com/yourpage.asp...CATE+TABLE+foo

No apostrophes to replace, so even if you did your little replace method,
the table would still get truncated. This is certainly something that a
knowledgeable user could try, if you allow them to know the names of tables
(which they have no real need to know) and allow them to enter such names
unchecked.

Of course you could prevent this as follows:

CREATE PROCEDURE dbo.getfoo
@tablename VARCHAR(32)
AS
BEGIN
SET NOCOUNT ON
IF OBJECT_ID(@tabl ename) IS NOT NULL
EXEC('SELECT * FROM '+@tablename)
END
GO

The main thing is to avoid potential scenarios where a string can be
executed unchecked and un-type-verified. See
http://www.sommarskog.se/dynamic_sql.html for other perils of using dynamic
SQL in a stored procedure.

Then, avoid dynamic SQL in your execute string in ASP as well, as much as
possible. For anything remaining, the replace of ' should be sufficient.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


"gdp" <gp********@blu eyonder.co.uk> wrote in message
news:rq******** *******@news-binary.blueyond er.co.uk...
hi...when guarding against sql injection attack from modified form or
querystring variables is it enough to strip out just apostrophes...i f the
variable USERNAME is the name of a text box passed to a script is the below always safe...

q1="select * from TABLENAME where username='" &
trim(replace(re quest("USERNAME "),"'","''" )) & "'"

thankyou for all help given

regards

gdp

Jul 19 '05 #3

"Manohar Kamath [MVP]" <mk*****@TAKETH ISOUTkamath.com > wrote in message
news:OP******** ******@TK2MSFTN GP10.phx.gbl...
http://www.nextgenss.com/papers/adva..._injection.pdf


I love this. I feel like I know ten times as much about SQL injection as I
did a few hours ago now. Thank you Manohar.

Ray at home
Jul 19 '05 #4
On Thu, 22 Jan 2004 15:50:21 -0600, "Manohar Kamath [MVP]"
<mk*****@TAKETH ISOUTkamath.com > wrote:
In my opinion, this should pretty much solve the common SQL injection
attacks. The following document seems to agree, plus has extensive coverage
on the topic:

http://www.nextgenss.com/papers/adva..._injection.pdf


Now this is a great resource. Thanks.

Jeff
Jul 19 '05 #5
Manohar Kamath [MVP] wrote:
In my opinion, this should pretty much solve the common SQL injection
attacks. The following document seems to agree, ...


It does? To me, it seems to be saying that this method (escaping quotes) can
be defeated.

IMO, based on what I've read, the most foolproof way to avoid sql injection
is to avoid dynamic sql, whether that dynamic sql is created in asp code or
in a SQL Server stored procedure (sp_ExecuteSQL can be used to parameterize
dynamic sql statements in stored procedures). Passing parameters correctly
to a stored procedure that does not use dynamic sql will prevent all the
examples of injection I've seen from working. The pdf seems to agree with
this.

Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 19 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
1754
by: NotGiven | last post by:
Steve wrote, > "And read up on "sql injection" attacks (use your favorite search > engine). As indicated, validate input. e.g. if you expert $_GET > to be integer, then do > > $a = intval($_GET);" I want to learn how to incorporate defenses into my code to thward a sql injection attach. Please recommend links that discuss actual code...
1
2146
by: Cogswell | last post by:
I am working on an ecommerce app and want to be able to take my entire POST results as one item (or iterate through them) and check for any malicious SQL INJECTION items. After checking/escaping them i want to save them back into the post results. The reason for this is because I have coded the entire app and just learned about the dangers of...
11
2608
by: Bă§TăRĐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A...
10
23879
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages. Thanks.
8
3665
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any suspicious bouncebacks in quite some time and got many custom alerts I had set up for notifying me of injection attempts. However, just the other day,...
7
2555
by: | last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there. They scan your site and send your report. They also take your money. We don't have the money so I was wondering if I could replicate the tool's behavior myself. I am guessing that they work by attempting a non-destructive injection attack against your DB and...
3
5412
by: =?Utf-8?B?Um9kbmV5IFZpYW5h?= | last post by:
IIS 6 SQL Injection Sanitation ISAPI Wildcard at http://www.codeplex.com/IIS6SQLInjection I created an ISAPI dll application to prevent SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for...
2
2198
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username should only begin either letters or numbers, and Underscore character example = user123, 123user, u_ser123, user_123 = completely case insensitive
12
640
by: shank | last post by:
I've been hit again using DW, parameterized queries and stored procedures. I'm guessing I was not strict enough with character counts and allowing to long of a string to pass. Aside from that, as crude as it may be, is the below enough to stop these attacks? If not, how would they get around this? <% If Instr(Request.QueryString("http"))...
2
1895
by: Brian Bozarth | last post by:
This is weird, I'm pretty familiar with SQL Injection - but we're getting these weird injection that is writing in the default document or home page. What it's doing is putting in script code at the top or bottom of the home page... it looks something like this: <script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5 ()...
0
7408
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7590
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
1
7347
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
7688
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
1
5271
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
3391
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3391
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1817
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
968
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.