I have an idea for preventing sql injection attacks, however it would
have to be implemented by the database vendor. Let me know if I am on
the right track, this totally off base, or already implemented
somewhere...
Lets say you could have a format string such as in printf
$format=" SELECT %s FROM %s WHERE id='%s' ";
$fieldname="las t_name";
$tablename="per sonel";
$id="425";
and you could execute a query like
mysql_query_for matted($format, $fieldname, $tablename, $id);
now, the key is that instead of just adding the $fieldname, $tablename,
$id to the $format string and passing it to mysql_query, it would be
passed to the parser as separate strings. The parser should know how
to handle that format. That way, the parser would always know where
the different tables names, field names, and other strings start and
end. So, the problem of injection attacks caused by some one confusing
the parser by entering things like ' and " is gone.
It would be easier on the programmer. There would be no need to worry
about escape characters when passing to this function, the strings
would not have to be escaped.. The parser would no longer have to
guess where the boundaries are. No more worrying about injection
attacks.
does that make sense?
-- http://www.douglassdavis.com 5  2139 
>I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on
the right track, this totally off base, or already implemented
somewhere...
Ok.
Lets say you could have a format string such as in printf
$format=" SELECT %s FROM %s WHERE id='%s' ";
$fieldname="la st_name";
$tablename="pe rsonel";
$id="425";
and you could execute a query like
mysql_query_fo rmatted($format , $fieldname, $tablename, $id);
What about more elaborate queries that involve multiple tables, compted
columns, subqueries, updates, deletes, etc. ?
now, the key is that instead of just adding the $fieldname, $tablename,
$id to the $format string and passing it to mysql_query, it would be
passed to the parser as separate strings. The parser should know how
to handle that format. That way, the parser would always know where
the different tables names, field names, and other strings start and
end. So, the problem of injection attacks caused by some one confusing
the parser by entering things like ' and " is gone.
It would be easier on the programmer. There would be no need to worry
about escape characters when passing to this function, the strings
would not have to be escaped.. The parser would no longer have to
guess where the boundaries are. No more worrying about injection
attacks.
does that make sense?
I hate to break it to you, but this is what stored procedures were made
for. I realize that procs are new to MySQL in v5.0, but if you have
access to them you should use them. They'll only accept a specific
list of required (and optional) parameters and the type checking and
conversions are handled automatically (most of the time). All you need
then is to make sure to escape text and close it in quotes and you can
build a query to execute the proc -- which follows a very simply
pattern no matter what the query ultimately does. www.douglassdavis.com (do**@douglassd avis.com) wrote:
: I have an idea for preventing sql injection attacks, however it would
: have to be implemented by the database vendor. Let me know if I am on
: the right track, this totally off base, or already implemented
: somewhere...
: Lets say you could have a format string such as in printf
: $format=" SELECT %s FROM %s WHERE id='%s' ";
: $fieldname="las t_name";
: $tablename="per sonel";
: $id="425";
: and you could execute a query like
: mysql_query_for matted($format, $fieldname, $tablename, $id);
: now, the key is that instead of just adding the $fieldname, $tablename,
: $id to the $format string and passing it to mysql_query, it would be
: passed to the parser as separate strings. The parser should know how
: to handle that format. That way, the parser would always know where
: the different tables names, field names, and other strings start and
: end. So, the problem of injection attacks caused by some one confusing
: the parser by entering things like ' and " is gone.
: It would be easier on the programmer. There would be no need to worry
: about escape characters when passing to this function, the strings
: would not have to be escaped.. The parser would no longer have to
: guess where the boundaries are. No more worrying about injection
: attacks.
: does that make sense?
Yes it makes a lot of sense, they are called "bind variables", and they
are implemented by vendors such as Oracle.
Quoting myself from an earlier post
oracle examples http://www.oracle.com/ technology/ pub/ articles/
oracle_php_cook book/ ullman_bindings .html
mysql via mysqli (look for "bind") http://ca.php.net/mysqli
mysql without mysqli
<quote>
Andy Hassall
Sep 6, 2:28 pm show options
...
I recommend using the ADOdb library
( http://adodb.sourceforge.net/).
</quote>
--
This programmer available for rent. www.douglassdavis.com wrote: now, the key is that instead of just adding the $fieldname, $tablename,
$id to the $format string and passing it to mysql_query, it would be
passed to the parser as separate strings. The parser should know how
to handle that format. That way, the parser would always know where
the different tables names, field names, and other strings start and
end. So, the problem of injection attacks caused by some one confusing
the parser by entering things like ' and " is gone.
Well, just write your own function that performs that. I have suggested
the following some time earlier:
function sql() {
$args = func_get_args() ;
$format = array_shift($ar gs);
for($i = 0, $l = count($args); $i < $l; $i++) {
$args[$i] = mysql_escape_st ring($args[$i]);
}
return vsprintf($forma t, $args);
}
$sql = sql("SELECT * FROM CowBrains WHERE fkCow = %d AND name = '%s'",
$id, $name);
If used consistently, dynamic strings in SQL statement will always be
escaped. www.douglassdavis.com wrote: I have an idea for preventing sql injection attacks, however it would
have to be implemented by the database vendor. Let me know if I am on
the right track, this totally off base, or already implemented
somewhere...
They already exist. In some languages, AFAICS, they are called
"Parameteri zed queries". Very neat.
Cheers,
Nicholas Sherlock www.douglassdavis.com wrote: I have an idea for preventing sql injection attacks, however it would
have to be implemented by the database vendor. Let me know if I am on
the right track, this totally off base, or already implemented
somewhere...
Lets say you could have a format string such as in printf
$format=" SELECT %s FROM %s WHERE id='%s' ";
$fieldname="las t_name";
$tablename="per sonel";
$id="425";
and you could execute a query like
mysql_query_for matted($format, $fieldname, $tablename, $id);
I know them as prepared statements and they are looking like this:
INSERT INTO table (attr1,attr2,.. .,attrN) VALUES (?,?,?,?,?,..., ?)
And they are filled like this:
preparedStateme nt->setString(po s, string) or
preparedStateme nt->setBoolean(pos , bool) or ...
So the preparedstateme nt functions handle each type as they have to (e.g. escaping strings
if necessary and adding 's to the start and end)
Regards
Stefan
... This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Martin Lucas-Smith |
last post by:
Can anyone provide any suggestions/URLs for best-practice approaches to
preventing SQL injection? There seems to be little on the web that I can
find on this.
Martin Lucas-Smith www.geog.cam.ac.uk/~mvl22
www.lucas-smith.co.uk
Senior Computing Technician (Web Technician)
Department of Geography, University of Cambridge (01223 3)33390
|
by: freddy |
last post by:
I would like to get more information on securing my windows apps from SQL
injection attacks. There is so much stuff on web apps, but I can't find info
on win apps.
Can you help me
|
by: poppy |
last post by:
I think a site I developed has been the victim of a sql
injection attack.I know how to stop this happening in
future but:
Is there any way I can trace such an attack?
|
by: Darrel |
last post by:
I'm learning a bit about the SWL injection issues and want to write a shared
class that I can call from anywhere in my project to 'sanitize' any incoming
text from textfields before sending to the DB.
Is it enough to simply escape single quotes as two single quotes? Ie,
replace ' with ''? Or should I also be checking for things like brackets,
parenthesis and SQL command words (INSERT, UPDATE, DELETE, etc.)?
And...maybe a dumb question,...
|
by: Jim Slade |
last post by:
I've been doing some research on security and it seems like hashing/salting
passwords is a good idea - but still not really all that secure against
dictionary attacks (the salt just makes the hacker run their dictionary
against every single account - not much of a challenge for a competent
hacker)
Just wondering what value would be added by adding some column to the
database to record failed login attempts. The idea would be that the...
| | |
by: Kevin Audleman |
last post by:
My site has come under attack from sql injections. I thought I had
things handled by replacing all single quotes with two single quotes,
aka
Replace(inputString, "'", "''")
Alas, clever hackers have still managed to find a way to drop columns
from some of my tables. Can anybody direct me towards a best practice
document on preventing these attacks?
|
by: Jerry Winston |
last post by:
We all know SQL injection attacks can easily get break SQL command strings concatenated with unsanitized user input fields:
set commandObj = Server.CreateObject("ADODB.Connection")
set rs = Server.CreateObject("ADODB.Recordset")
commandObj.ConnectionString = myGenericConnectionString
commandObj.Open
sqlCMD ="INSERT INTO myTable (item,cost) VALUES ('" & request.Form.Item("txtMyHTML_Field1") & "' , " &...
|
by: Dave Anderson |
last post by:
We log hundreds of SQL injection attempts per day -- the type with
CAST(0x44004500... AS VARCHAR(4000)). It amuses me that the last thing the
attack does is DEALLOCATE its cursor. My SQL Server DBA tells me this makes
no difference. So...
Are these hackers cargo cultists? Or am I missing something?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
| | |
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
