[thelist] XSL: Finding apostrophes

Andrew Clover and at doxdesk.com
Fri Jan 25 05:34:01 CST 2002


Jason Bauer <jbauer at mtu.edu> wrote:

> When I write a URL like search.xsql?name=Jerry O'Donnel, the page returns
> an SQL error because of the '.

Hi Jason,

I'd be *very* worried about that, it's a sure sign of a common coding error
that can have harsh security consequences. Fixing the apostrophes at the
client-side is of little use since an attacker can still manually enter a
URL like -

  search.xsql?name=x'; DROP TABLE foo; SELECT 'x

which with a suitable 'foo' and permissions can do your database serious
harm. Of course there are many other ways to exploit the same hole.

search.xsql needs to be fixed. My minimal research into XSQL suggests that
"WHERE somecolumn='{@name}'" is the commonly used syntax for substituting
variables into XSQL queries - is search.xsql doing that? If so, then it
may even be Oracle's XSQL Servlet itself to blame, which would be very
disappointing indeed.

Oh, and you *will* still need to do URL-encoding, unless you can be sure
your 'name' values will only ever contain alphanumerics and the symbols:

  $-_.!*'(),

Spaces in particular should be converted to '%20', although many browsers
will let you get away without doing it.

Sorry about that. ;-)

--
Andrew Clover
mailto:and at doxdesk.com
http://and.doxdesk.com/



More information about the thelist mailing list