[thelist] Need help with a simple regex (Monday annoyance)

Tue Apr 5 02:10:04 CDT 2005

Could I suggest re-reading the previous thread that was referenced. We
covered simple data type checks.

Cheers
Ken

--
www.adOpenStatic.com/cs/blogs/ken/ 

: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Paul Cowan
: Subject: Re: [thelist] Need help with a simple regex (Monday annoyance)
: 
: On 4/04/2005 11:04 PM -0400 Matt Warden wrote:
: > I think we showed in an earlier thread that you can basically guard
: > against this by escaping single quotes. There was some discussion also
: > about encoding attacks, but it seemed to be largely theoretical, as we
: > could not get an example of the attack to work.
: 
: It's a common myth that you can guard against SQL injection by replacing
: quotes in strings. Remember that any integer-type values you take from the
: request are also vulnerable -- possibly more so. For example, let's
: suppose
: the following URL:
: 
: http://monkeyspoon.com/products?category=10
: 
: where the code in the page builds something like
: 
: sql = "select * from product where cat = " & request("category")
: 
: which is mega-common, right? We've all seen code like this a zillion
: times.
: But what about if someone hits
: 
: http://monkeyspoon.com/products?category=10 OR (1 = 1)
: 
: ? All of a sudden that query returns EVERY product in the database...
: which
: might reveal some info you don't want revealed. And even if you don't care
: (they're products, right? Who gives a damn the user can hack the 'category
: view' page to see all the products?), what about if they do this:
: 
: http://monkeyspoon.com/products?category=10 UNION ALL SELECT * FROM
: TopSecretPasswords
: 
: All of a sudden, they've changed your product search page into something
: that tries to display all your secret passwords. Your product display page
: probably won't work, but the error message might reveal information about
: the table structure of the TopSecretPasswords table... and they can refine
: their query, and try again, until they get what they want...
: 
: They can also do something like
: 
: http://monkeyspoon.com/products?category=10 ; DROP TABLE Orders
: 
: which will wreak no end of havoc, I'm sure!
: 
: The list goes on... there's much more to SQL encoding that just replacing
: quotes. You need to make sure that every piece of data that goes to the DB
: matches the type it should be -- if it's supposed to be an INT, make sure
: it IS an INT before you send it to the DB. Only if it's a string, and it's
: SUPPOSED to be a string, do you need to worry about escaping quotes and so
: on. This is where parameterised queries come into their own.
: 