[thelist] Re: Avoiding SQL Injection
Joshua Olson
joshua at waetech.com
Tue Mar 22 07:34:38 CST 2005
> -----Original Message-----
> From: Ken Schaefer
> Sent: Tuesday, March 22, 2005 1:11 AM
> Here is a post from Adam Tupliper, with a follow-up by
> Michael Howard (author
> of Writing Secure Code) on how it may be possible to encode
> values, which are then decoded by SQL Server.
> http://www.securityfocus.com/archive/107/384633/2004-12-15/2004-12-20/0
Ken,
Interesting in concept. In practice it doesn't seem to work, though. I
just tried quite a few variations through Enterprise Manager and I can't
seem to escape text within a string. It appears that SQL Server handles
0x27 as a normal 4 character string.
> David Litchfield (of NGSSoftware) also has a post
> somewhere (which I can't find now), where he demonstrates the
> ability to encode a ' character (so a simply Find/Replace in your
> application layer code
> won't pick it up). This is one area the developer needs to be
> aware of - encoding mechanisms that the underlying DBMS may use:
I'd like to see this example. I'd venture to guess this injection technique
relies on a flaw within text escaping within the middle-ware, not within the
SQL parser within the DBMS.
<><><><><><><><><><>
Joshua Olson
Web Application Engineer
WAE Tech Inc.
http://www.waetech.com/service_areas/
706.210.0168
More information about the thelist
mailing list