[thelist] SQL Update CORRECTION

Ken Schaefer ken.schaefer at gmail.com
Mon Jul 19 18:41:31 CDT 2004


On Mon, 19 Jul 2004 10:34:15 -0400, Joshua Olson <joshua at waetech.com> wrote:
> > -----Original Message-----
> > From: Ken Schaefer
> > Sent: Sunday, July 18, 2004 7:56 PM
> 
> > If you think that doubling quotes will get you out of most injection
> > attacks then you didn't read the links that I posted previously.
> 
> Ken,
> 
> I cannot think of any SQL injection attack that is possible if you double
> the single quotes on strings and convert to numbers all input value that are
> going to be fed into numeric fields.  Ideally, the conversion routine would
> convert the input value to 0 or throw an error if the value is non numeric.
> Am I missing something?


Did you read the links I posted? There are a few ways to get around
the (from the perspective of the attacker), including encoded values,
and reusing/reinjecting values that are already in the database in
subsequent queries that your application might use.

Once you ensure that you have doubled single quotes, you've defeated
most of the trivial attacks. Everything else starts becoming
non-trivial (and then starts becoming difficult to explain in 2-3
paragraph email. I'm happy to post more links to documents/whitepapers
etc if people are interested.


> > There are lots of good SQL Injection attack papers out there. Never
> > make the mistake that you think you know the ways that an attacker can
> > break into your application, especially when you're not in the
> > professional security business.
> >
> > Explicitly choosing to /allow/ things rather than attempting to work
> > out what to disallow is the correct way of handling things. For any
> > new development, I don't see how this takes any longer than trying to
> > work out what to disallow.
> 
> Do you have any specific approaches using this methodology that you prefer
> to employ when dealing with the possibility of SQL Injection?

- Do not use inline SQL. Everything I do now is with stored
procedures. Use whatever your application technology provides WRT to
paramatising queries.
- Reliance on Regular Expressions to filter user input (from untrusted sources)
- Being paranoid :-)

Cheers
Ken


More information about the thelist mailing list