Solved

Replacing Single Quotes - Still SQL Injection Issue?

Posted on 2009-07-09
8
1,819 Views
Last Modified: 2013-11-16
I have a quick question about SQL Injections... I want to know if replacing single quotes with extra single quotes is enough to prevent SQL Injections from QueryString-based database calls.

For example: http://www.mywebsite.com/viewPage.asp?id=1
Assume the following on the backend:
<%
dim id, rs
id = request("id")
id = replace(id, "'", "''")
set rs = getResults(id)
...
%>

Is this secure enough to prevent malicious attacks?
0
Comment
Question by:Unionblitz
8 Comments
 
LVL 14

Expert Comment

by:shru_0409
Comment Utility
0
 
LVL 75

Expert Comment

by:Aneesh Retnakaran
Comment Utility
Hello Unionblitz,
Avoiding the use of dynamic sql prevents them, if you want to have dynamic sql, use parameterised dynamic sql


Regards,

Aneesh
0
 

Author Comment

by:Unionblitz
Comment Utility
I'm familiar with stored procedures and parameterized SQL (PHP, etc).  I just couldn't find a way to break the replace(SQL, [single quote], [single quote][single quote]).  shru 0409 provided a link that kind of went over a way to break it (I haven't tried it yet though).

Request from site: http://mysite.com/main.asp?id=1\'; DROP Table Users; --

Server Code in main.asp:
id = request("id")
id = replace(id, "'", "''")
sql = "select * from users where id = '" & id & "';"

Apparently, that would bypass the single quote guard.
0
 
LVL 4

Expert Comment

by:TurboBorland
Comment Utility
Yes, backslash (escape the next character) and the use of the char() function would break that security feature.  Blacklists are not the way to go.  Seeing as you are expecting an integer, force the query to be an integer.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Unionblitz
Comment Utility
Thanks, TurboBorland... Could you please provide me with an example of the char() concept?  

Right now, I am talking strictly on Classic ASP/.NET and SQL Server.  I don't care about the insecurities of PHP and MySQL at the moment. I need a good reason to explain to my boss that replacing single quotes is not enough.
0
 
LVL 4

Expert Comment

by:TurboBorland
Comment Utility
Sure, let's take the example of a UNION SELECT injection being made.  Also assume that we know the table names from grabbing from INFORMATION_SCHEMA.TABLES and INFORMATION_SCHEMA.COLUMNS.
      id=1/**/UNION/**/SELECT/**/TOP/**/1/**/password/**/FROM/**/admin_table/**/where/**/login_name=char(0x556e696f6e626c69747a)--    The name inside of char() is your name, hex encoded.  It conveniently bypasses the need to use quotes.  Now, the char() function would be useful to add to your query, while the backslash would be the easiest to end your current query and execute another one (like you're example of 1\'; next query;--.
0
 
LVL 4

Accepted Solution

by:
TurboBorland earned 50 total points
Comment Utility
Sorry, that was MySQL.  Here's MS-SQL:  CHAR(85)+CHAR(110)+CHAR(105)+CHAR(111)+CHAR(110)+CHAR(98)+CHAR(108)+CHAR(105)+CHAR(116)+CHAR(122)
0
 

Author Comment

by:Unionblitz
Comment Utility
TurboBorland, could you provide me with a practical example for the MS-SQL code you provided?  Perhaps for C# and ASP.NET or classic asp?
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you have heard of RFC822 date formats, they can be quite a challenge in SQL Server. RFC822 is an Internet standard format for email message headers, including all dates within those headers. The RFC822 protocols are available in detail at:   ht…
This article explains all about SQL Server Piecemeal Restore with examples in step by step manner.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now