473,671 Members | 2,473 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Protecting SQL injection attacks (text input functino)

I'm learning a bit about the SWL injection issues and want to write a shared
class that I can call from anywhere in my project to 'sanitize' any incoming
text from textfields before sending to the DB.

Is it enough to simply escape single quotes as two single quotes? Ie,
replace ' with ''? Or should I also be checking for things like brackets,
parenthesis and SQL command words (INSERT, UPDATE, DELETE, etc.)?

And...maybe a dumb question, but why doesn't SQL check for these things
automatically?

-Darrel
Nov 18 '05 #1
9 2057
The best way to protect from SQL injection attacks is to utilize
parameterized queries or stored procedures. Sanitizing is fine but I've
always treated it as I do encryption... assume I'm not qualified and
that I'm better off using the existing means that were built by the
"insiders" that know the details (i.e. all the character sequences that
could cause problems).

As for why SQL doesn't filter it out, it is because you are allowed to
submit batches of sql statements for execution. This means that the SQL
server can't tell the difference between you submitting two sql
statements or you submitting one statement that has been hijacked to
hold a second statement of your user's choosing. They provide a means
for mitigating the potential problems this may cause, it is up to us to
take advantage of it.

Have A Better One!

John M Deal, MCP
Necessity Software

Darrel wrote:
I'm learning a bit about the SWL injection issues and want to write a shared
class that I can call from anywhere in my project to 'sanitize' any incoming
text from textfields before sending to the DB.

Is it enough to simply escape single quotes as two single quotes? Ie,
replace ' with ''? Or should I also be checking for things like brackets,
parenthesis and SQL command words (INSERT, UPDATE, DELETE, etc.)?

And...maybe a dumb question, but why doesn't SQL check for these things
automatically?

-Darrel

Nov 18 '05 #2
Darrel,

You are safe if you use the values from the textboxes as query parameters.
In that case you don't need any checking.

SQL can't check for an attack since the whole trick is to send to the server
sql statements with valid syntax.

Eliyahu

"Darrel" <no*****@nospam .com> wrote in message
news:u2******** ******@TK2MSFTN GP14.phx.gbl...
I'm learning a bit about the SWL injection issues and want to write a shared class that I can call from anywhere in my project to 'sanitize' any incoming text from textfields before sending to the DB.

Is it enough to simply escape single quotes as two single quotes? Ie,
replace ' with ''? Or should I also be checking for things like brackets,
parenthesis and SQL command words (INSERT, UPDATE, DELETE, etc.)?

And...maybe a dumb question, but why doesn't SQL check for these things
automatically?

-Darrel

Nov 18 '05 #3
Escaping quotes is one measure. You should also practice using stored
procedues or parameterized queries if stored procs is not an option (e.g MS
Access). Also, create a sqlcommand or oledbcommand object and specify the
commandtype property to = commandtype.tex t
Dim cmd as new SqlCommand
cmd.CommandType = CommandType.Sto redProcedure
or
cmd.CommandType = CommandType.Tex t

If you use the Text command type, then you are telling the Database to
process all command as plain text and not as actual sql commands. So, the
single quote should not be a factor it will just be treated like a regular
string.
Hope this helps

"Darrel" wrote:
I'm learning a bit about the SWL injection issues and want to write a shared
class that I can call from anywhere in my project to 'sanitize' any incoming
text from textfields before sending to the DB.

Is it enough to simply escape single quotes as two single quotes? Ie,
replace ' with ''? Or should I also be checking for things like brackets,
parenthesis and SQL command words (INSERT, UPDATE, DELETE, etc.)?

And...maybe a dumb question, but why doesn't SQL check for these things
automatically?

-Darrel

Nov 18 '05 #4
> You are safe if you use the values from the textboxes as query parameters.
In that case you don't need any checking.


Can you explain that? I'm not really sure what a 'query parameter' is.
Right now I have these textboxes:

[firstName]
[lastName]

And then a SQL statement like this:

"INSERT INTO tablename (firstName, lastName) VALUES ('" & firstName.text &
"', '" & lastName.text & "')"

The problem is that any name with an apostrophe, breaks the syntax, so I
need to escape anyways. Is there anything else I need to do, or are these
simply innocuous parameters?

-Darrel
Nov 18 '05 #5
> If you use the Text command type, then you are telling the Database to
process all command as plain text and not as actual sql commands. So, the
single quote should not be a factor it will just be treated like a regular
string.


Ah! That makes sense. Thanks!

-Darrel
Nov 18 '05 #6
You should use ADO.NET parameter objects. They will protect you against SQL
Injection Attacks.

Here's more info:
http://msdn.microsoft.com/library/de...classtopic.asp
http://msdn.microsoft.com/library/de...isualbasic.asp

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"Darrel" <no*****@nospam .com> wrote in message
news:u2******** ******@TK2MSFTN GP14.phx.gbl...
I'm learning a bit about the SWL injection issues and want to write a
shared class that I can call from anywhere in my project to 'sanitize' any
incoming text from textfields before sending to the DB.

Is it enough to simply escape single quotes as two single quotes? Ie,
replace ' with ''? Or should I also be checking for things like brackets,
parenthesis and SQL command words (INSERT, UPDATE, DELETE, etc.)?

And...maybe a dumb question, but why doesn't SQL check for these things
automatically?

-Darrel

Nov 18 '05 #7
this is a perfect example of code that allows sql injection.

just type in the lastname textbox

a') delete tablename select ('a
use sqlcomman and parameters

cmd.CommandText = "INSERT INTO tablename (firstName, lastName) VALUES
('@firstname',' @lastname')";
cmd.Parameters. Add("@firstname ",SqlDbType.Var Char).Value = firstName.Text;
cmd.Parameters. Add("@lastname" ,SqlDbType.VarC har).Value = lastName.Text;

-- bruce (sqlwork.com)

"Darrel" <no*****@nospam .com> wrote in message
news:eP******** ******@TK2MSFTN GP15.phx.gbl...
| > You are safe if you use the values from the textboxes as query
parameters.
| > In that case you don't need any checking.
|
| Can you explain that? I'm not really sure what a 'query parameter' is.
| Right now I have these textboxes:
|
| [firstName]
| [lastName]
|
| And then a SQL statement like this:
|
| "INSERT INTO tablename (firstName, lastName) VALUES ('" & firstName.text &
| "', '" & lastName.text & "')"
|
| The problem is that any name with an apostrophe, breaks the syntax, so I
| need to escape anyways. Is there anything else I need to do, or are these
| simply innocuous parameters?
|
| -Darrel
|
|
Nov 18 '05 #8
> this is a perfect example of code that allows sql injection.
just type in the lastname textbox
a') delete tablename select ('a
would escaping the single quotes as double remedy that?
use sqlcomman and parameters

cmd.CommandText = "INSERT INTO tablename (firstName, lastName) VALUES
('@firstname',' @lastname')";
cmd.Parameters. Add("@firstname ",SqlDbType.Var Char).Value = firstName.Text;
cmd.Parameters. Add("@lastname" ,SqlDbType.VarC har).Value = lastName.Text;


Ah...so, what does that do, exactly? Does it simply send the same text but
as a non-executable command? Is this different than Tamp's suggestion of
setting the entire command as text?

-Darrel
Nov 18 '05 #9
Dude, it's been explained to you more than once that you need to use ADO.NET
parameter objects.
They are the best practice and will prevent all forms of SQL injection
attacks.
Don't escape anything. That's not a good solution. Parameter objects are
the solution.

Here's more info:
http://msdn.microsoft.com/library/de...classtopic.asp
http://msdn.microsoft.com/library/de...isualbasic.asp

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"Darrel" <no*****@nospam .com> wrote in message
news:uk******** ******@TK2MSFTN GP15.phx.gbl...
this is a perfect example of code that allows sql injection.
just type in the lastname textbox
a') delete tablename select ('a


would escaping the single quotes as double remedy that?
use sqlcomman and parameters

cmd.CommandText = "INSERT INTO tablename (firstName, lastName) VALUES
('@firstname',' @lastname')";
cmd.Parameters. Add("@firstname ",SqlDbType.Var Char).Value =
firstName.Text;
cmd.Parameters. Add("@lastname" ,SqlDbType.VarC har).Value = lastName.Text;


Ah...so, what does that do, exactly? Does it simply send the same text but
as a non-executable command? Is this different than Tamp's suggestion of
setting the entire command as text?

-Darrel

Nov 18 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
2624
by: Bã§TãRÐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to test the security of the site with Cross-Site...
10
1448
by: MattB | last post by:
I have a name lookup form that passes the contents of two text boxes to a sql query. I've noticed that someone can substitute % for letters and wildcard the query. I know I could just disallow that character, but is there a commonly accepted way to stop all of these kinds of attacks? I see asp.net automatically disallows characters like "<>" but not %. What else should I be on the lookout for? Thanks! Matt
5
2133
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already implemented somewhere... Lets say you could have a format string such as in printf $format=" SELECT %s FROM %s WHERE id='%s' "; $fieldname="last_name"; $tablename="personel";
10
23901
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages. Thanks.
8
3764
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any suspicious bouncebacks in quite some time and got many custom alerts I had set up for notifying me of injection attempts. However, just the other day, I got a bounceback from an AOL address which leads me to believe that an injection attempt was...
6
4341
by: Tor Erik Soenvisen | last post by:
Hi, How safe is the following code against SQL injection: # Get user privilege digest = sha.new(pw).hexdigest() # Protect against SQL injection by escaping quotes uname = uname.replace("'", "''") sql = 'SELECT privilege FROM staff WHERE ' + \ 'username=\'%s\' AND password=\'%s\'' % (uname, digest)
29
2107
by: sinbuzz | last post by:
Hi, I'm curious about the best way to avoid SQL Injection attacks against my web server. Currently I'm on IIS. I might be willing to switch to something like Apache but I'm not sure if SQL Injection is is a generic enough of an attack to cause me worries once I make the
5
2055
by: Cheb | last post by:
I am writing a simple 'contact us' email form and I am aware I should protect it from code injection and malicious email hijacks. I have used mysql_escape_string() to remove any newlines in the headers but do I need to protect the message body too? Should I include MIME content headers too? And should I be worried about HTML inclusion in the body? Thanks Chris R.
2
4315
by: Jerry Winston | last post by:
We all know SQL injection attacks can easily get break SQL command strings concatenated with unsanitized user input fields: set commandObj = Server.CreateObject("ADODB.Connection") set rs = Server.CreateObject("ADODB.Recordset") commandObj.ConnectionString = myGenericConnectionString commandObj.Open sqlCMD ="INSERT INTO myTable (item,cost) VALUES ('" & request.Form.Item("txtMyHTML_Field1") & "' , " &...
0
8401
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
8824
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
8673
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6236
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4227
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4416
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2818
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2060
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
2
1815
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.