[thelist] sql injection problem
Bill Moseley
moseley at hank.org
Mon Sep 25 14:32:52 CDT 2006
On Sun, Sep 24, 2006 at 09:30:24PM -0400, Brian Cummiskey wrote:
> I'm testing a new app against HackerSafe and I keep failing on one page.
>
> I CAN'T use a stored procedure... they won't let me. (i know, i
> know...) so I'm doing the best I can to clean the querystrings.
>
> I'm using the following ASP replacements before the ncat var is passed
> into the inline query:
>
> ncat = replace( ncat, "'", "''" )
> ncat = replace( ncat, """", "" )
> ncat = replace( ncat, ")", "" )
> ncat = replace( ncat, "(", "" )
> ncat = replace( ncat, ";", "" )
> ncat = replace( ncat, "-", "" )
> ncat = replace( ncat, "|", "" )
> ncat = replace( ncat, "<", "" )
> ncat = replace( ncat, ">", "" )
> ncat = replace( ncat, "script", "" )
Can't you use bind parameters and avoid this completely?
I don't use ASP but I never pass user data in SQL and I never attempt
to "clean" the data. If I ever did that I would instead keep known
valid characters instead of removing known (or what I think are known)
bad ones.
I was looking over a clients PHP scripts and noticed a lot of cleaning
of user data and then placing the variables right in the sql. Besides
really ugly, it looked very dangerous.
--
Bill Moseley
moseley at hank.org
More information about the thelist
mailing list