Concatenation is dropping a single quote

Paul

I've got some code that adds a single quote to any ad hoc queries that
appear to look like hacks. For instance, if somebody enters ' OR 1=1 --
then this code adds another single quote the string to neutralize it.
The neutralized string becomes '' OR 1=1 --.

The problem is that when I try to concatenate this string into a SQL
insert statement, the extra single quote is lost. It diskappears! The
hack can then get to the DB.

I tried using Stringbuilder but it has the same effect.

Anybody ever heard of something like this?

~Paul

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 18 '05 #1

Subscribe Reply

1635

Marina

No. You should show some code for a meaningful answer.

"Paul" <do*****@paulNO SPAMMERleblanc. net> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. ..

I've got some code that adds a single quote to any ad hoc queries that
appear to look like hacks. For instance, if somebody enters ' OR 1=1 --
then this code adds another single quote the string to neutralize it.
The neutralized string becomes '' OR 1=1 --.

The problem is that when I try to concatenate this string into a SQL
insert statement, the extra single quote is lost. It diskappears! The
hack can then get to the DB.

I tried using Stringbuilder but it has the same effect.

Anybody ever heard of something like this?

~Paul

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 18 '05 #2

Kevin Spencer

Sure. Doubled single quotes are escaped (literal) single quotes in SQL.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

"Paul" <do*****@paulNO SPAMMERleblanc. net> wrote in message
news:#S******** ******@TK2MSFTN GP12.phx.gbl...

I've got some code that adds a single quote to any ad hoc queries that
appear to look like hacks. For instance, if somebody enters ' OR 1=1 --
then this code adds another single quote the string to neutralize it.
The neutralized string becomes '' OR 1=1 --.

The problem is that when I try to concatenate this string into a SQL
insert statement, the extra single quote is lost. It diskappears! The
hack can then get to the DB.

I tried using Stringbuilder but it has the same effect.

Anybody ever heard of something like this?

~Paul

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 18 '05 #3

Joe Fallon

Yes.
That is the way it works.
You are escaping the single quote by doubling it up.
So instead of the 'OR 1=1 -- causing a SQL injection, it just gets added to
your data.
The value in the DB will still have a single quote because it was escaped by
the one you added.
--
Joe Fallon

"Paul" <do*****@paulNO SPAMMERleblanc. net> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. ..

I've got some code that adds a single quote to any ad hoc queries that
appear to look like hacks. For instance, if somebody enters ' OR 1=1 --
then this code adds another single quote the string to neutralize it.
The neutralized string becomes '' OR 1=1 --.

The problem is that when I try to concatenate this string into a SQL
insert statement, the extra single quote is lost. It diskappears! The
hack can then get to the DB.

I tried using Stringbuilder but it has the same effect.

Anybody ever heard of something like this?

~Paul

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 18 '05 #4

Paul

Wow, damn, forgot about that! It's behaving.

I was expecting it to store both single quotes to the data store. NOT.

Now it is stored as data instead of an injection, but when I read it I
guess I have to escape the single quote once again to keep it from
injecting at read time.

Thanks.
~Paul

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 18 '05 #5

Similar topics

4666

stringBuilder vs string concatenation myth of usage...

by: genc_ymeri | last post by:

Hi over there, Propably this subject is discussed over and over several times. I did google it too but I was a little bit surprised what I read on internet when it comes 'when to use what'. Most of articles I read from different experts and programmers tell me that their "gut feelings" for using stringBuilder instead of string concatenation is when the number of string concatunation is more then N ( N varies between 3 to max 15 from...

C# / C Sharp

2645

PATCH: Speed up direct string concatenation by 20+%!

by: Larry Hastings | last post by:

This is such a long posting that I've broken it out into sections. Note that while developing this patch I discovered a Subtle Bug in CPython, which I have discussed in its own section below. ____________ THE OVERVIEW I don't remember where I picked it up, but I remember reading years ago that the simple, obvious Python approach for string concatenation: x = "a" + "b"

Python

4064

ECHO or concatenation with single quote, for performance?

by: L. Berger | last post by:

Hi, I am working on an HTML template which has a lot of html tags, with PHP data shown in the middle of these tags -- you know, the usual. Currently, I have HTML as is, and many many "echo $variable" statements mixed in as PHP code. My question: should I leave it like this, with ECHO statements embedded within the tags,

PHP

4736

A problem about concatenation in macro

by: cppcraze | last post by:

Hi, I am just stumbled by a problem about concatenation in macro. See below code snippet: // there're some contants definition in this class struct X { enum {A, B, C}; };

C / C++

8420

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

8324

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

8842

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

8740

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

6176

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

4330

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

2743

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

1970

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP

1733

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General