Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: SQL Injection
From: Scovetta, Michael V (Michael.Scovettaca.com)
Date: Tue Jun 01 2004 - 15:27:32 CDT
What if their name was O'Henry? Security must be paramount to the
developer, but invisible to the client. Best choice: parameterized
queries. Second best: have a stored procedure make the modification.
Third: filter IN good characters. Forth: filter OUT bad characters.
Since I started using parameterized queries (via Java's
PreparedStatement object), I haven't run into a single SQL injection
issue. My hat's off to the developers for a clean, easy to use
IMHO, this is the way of the 'future'-- addslashes() and other hacks are
always going to suffer from special cases that get missed, or DBMS
oddities like strange escape sequences.
> -----Original Message-----
> From: Serg B. [mailto:sergdodo.com.au]
> Sent: Tuesday, June 01, 2004 9:37 AM
> To: emanuelezlibero.it
> Cc: webappsecsecurityfocus.com
> Subject: Re: SQL Injection
> Perhaps you could limit or anticipate charecter set used for users
> username and passwords and filter out everything else?
> On Fri, 2004-05-28 at 17:17, Emanuele Zattin wrote:
> > Hello Everybody!
> > I recently found out that one of my websites suffered SQL injections
> > this:
> > Login: a' OR 'a'='a
> > Password: a' OR 'a'='a
> > I solved the problem checking whether the logon or password
> > contained the "'" char... is it safe enough? i checked around the
> > found a recent paper from Imperva but it does not talk about single
> > checking... i tried to ude different encodings but that string in
> > just the same... any hint?
> Serg B. <sergdodo.com.au>