Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
pw is the supplied password abd uname is the supplied password.
regards 6 4326
Tor Erik Soenvisen <to******@hotmail.comwrites:
# Protect against SQL injection by escaping quotes
Don't ever do that, safe or not. Use query parameters instead.
That's what they're for.
Paul Rubin <"http://phr.cx"@NOSPAM.invalidwrites:
Tor Erik Soenvisen <to******@hotmail.comwrites:
# Protect against SQL injection by escaping quotes
Don't ever do that, safe or not. Use query parameters instead.
That's what they're for.
More specifically: They've been debugged for just these kinds of
purposes, and every time you code an ad-hoc escaping-and-formatting
SQL query, you're inviting all the bugs that have been found and
removed before.
--
\ "Welchen Teil von 'Gestalt' verstehen Sie nicht? [What part of |
`\ 'gestalt' don't you understand?]" -- Karsten M. Self |
_o__) |
Ben Finney
Ben Finney wrote:
More specifically: They've been debugged for just these kinds of
purposes
in a well-designed database, the SQL parser never sees the parameter values,
so *injection* attacks are simply not possible.
</F>
Tor Erik Soenvisen wrote:
Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
pw is the supplied password abd uname is the supplied password.
Slightly safer than not doing anything to the user-supplied inputs, but
nowehere near as safe as it needs to be. Use parameterized queries!
regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden
In article <Xn*****************************@129.242.5.222>,
Tor Erik Soenvisen <to******@hotmail.comwrote:
> How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
Do yourself a favor at least and switch to using double-quotes for the
string. I also recommend switching to triple-quotes to avoid the
backslash continuation.
--
Aahz (aa**@pythoncraft.com) <* http://www.pythoncraft.com/
"If you don't know what your program is supposed to do, you'd better not
start writing it." --Dijkstra
Tor Erik Soenvisen wrote:
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
This is definitely *not* safe.
For instance, set uname = r"\' or 1=1 --"
You must replace the backslash with a double backslash as well.
But as already suggested, you should better use query parameters.
-- Christoph This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: John |
last post by:
Dear all,
I've got a security question that is so difficult that "maybe" there will be
no answer for it. It's regarding protecting asp code.
I did write some asp code, that I sell to...
|
by: Griff |
last post by:
I have a multi-page ASP web application that uses information sent to it
from the client in the Request.Forms collection, the Request.QueryString
collection and the Request.Cookie collection.
...
|
by: Darrel |
last post by:
I'm learning a bit about the SWL injection issues and want to write a shared
class that I can call from anywhere in my project to 'sanitize' any incoming
text from textfields before sending to the...
|
by: sashi |
last post by:
hi everyone,
Below is a simple function that will give you some protection against an SQL Injection attempt.
what is SQL injection?
SQL injection is a security vulnerability that occurs in...
|
by: flit |
last post by:
Hello All,
I have a hard question, every time I look for this answer its get out
from the technical domain and goes on in the moral/social domain.
First, I live in third world with bad gov., bad...
|
by: Cheb |
last post by:
I am writing a simple 'contact us' email form and I am aware I should
protect it from code injection and malicious email hijacks. I have
used mysql_escape_string() to remove any newlines in the...
|
by: JBiggsCC |
last post by:
I have a very simple login page which takes an ID number via a HTML
form GET. What is easiest way to check that ID number against an
Access DB to see if it exists?
I want to redirect with the...
|
by: yawnmoth |
last post by:
Say I have the following in a PHP script of mine:
$sr=ldap_search($ds, "", "(& (sn=$_GET) (givenName=
$_GET*))");
If $_GET contains a ), an attacker could escape out of the
first part of the...
|
by: kkshansid |
last post by:
i have a database as
table name school
field name location
eg in location column data
green school,tagore garden,chink road,jammu
i want to make search on location such that when user enter ...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |