[thelist] sql injection problem

Chris at globet.com Chris at globet.com
Mon Sep 25 11:16:49 CDT 2006


Brian

[..]

> I'm using the following ASP replacements before the ncat var 
> is passed into the inline query:
> 
>         ncat = replace( ncat, "'", "''" )
>         ncat = replace( ncat, """", "" )
>         ncat = replace( ncat, ")", "" )
>         ncat = replace( ncat, "(", "" )
>         ncat = replace( ncat, ";", "" )
>         ncat = replace( ncat, "-", "" )
>         ncat = replace( ncat, "|", "" )
>         ncat = replace( ncat, "<", "" )
>         ncat = replace( ncat, ">", "" )
>         ncat = replace( ncat, "script", "" )

I don't know offhand what you're missing, but one thing immediately
springs to mind in terms of security. You appear to be cleaning your
data, before adding it to your query and then executing it. Since you're
removing all of the offending characters and strings rather than
encoding them, it's clear that they are not valid input.

If you receive invalid input, why are you then processing it instead of
ceasing all processing and informing the user that they have entered
invalid input? If someone's trying to hack your system, they're trying
to hack your system. Although I don't really like real world
comparisons, please forgive the following: If there's a burglar at my
front door, I would feel safer not letting him in at all rather than
giving him a quick pat-down for illegal weapons then letting him in.

In addition, you are specifying all of the characters and strings that
you *don't* allow. If this list changes because somebody finds another
system vulnerability, you will have to a) be aware of it, and b) go back
to your code to make further changes. I would personally URL-decode the
input value, then check that it contained only alpha/numeric characters
and spaces (or whatever your criteria are). If any further system
vulnerabilities are discovered, you're unlikely to be compromised.

HTH

[..]

-- 
Chris Marsh
Software Developer
t: +44 20 8246 4804 x828
f: +44 20 8246 4808
e: chris at globet.com
w: http://www.globet.com/

Any opinions expressed in this email are those of the individual and not
necessarily the Company. This message is intended for the use of the
individual or entity to which it is addressed and may contain
information that is confidential and privileged and exempt from
disclosure under applicable law. If the reader of this message is not
the intended recipient, you are hereby notified that any dissemination,
distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please contact the
sender immediately and delete it from your system.




More information about the thelist mailing list