Replacing Single Quotes - Still SQL Injection Issue?
I have a quick question about SQL Injections... I want to know if replacing single quotes with extra single quotes is enough to prevent SQL Injections from QueryString-based database calls.
For example: http://www.mywebsite.com/viewPage.asp?id=1
Assume the following on the backend:
<%
dim id, rs
id = request("id")
id = replace(id, "'", "''")
set rs = getResults(id)
...
%>
Is this secure enough to prevent malicious attacks?
For example: http://www.mywebsite.com/viewPage.asp?id=1
Assume the following on the backend:
<%
dim id, rs
id = request("id")
id = replace(id, "'", "''")
set rs = getResults(id)
...
%>
Is this secure enough to prevent malicious attacks?
Hello Unionblitz,
Avoiding the use of dynamic sql prevents them, if you want to have dynamic sql, use parameterised dynamic sql
Regards,
Aneesh
Avoiding the use of dynamic sql prevents them, if you want to have dynamic sql, use parameterised dynamic sql
Regards,
Aneesh
ASKER
I'm familiar with stored procedures and parameterized SQL (PHP, etc). I just couldn't find a way to break the replace(SQL, [single quote], [single quote][single quote]). shru 0409 provided a link that kind of went over a way to break it (I haven't tried it yet though).
Request from site: http://mysite.com/main.asp?id=1\'; DROP Table Users; --
Server Code in main.asp:
id = request("id")
id = replace(id, "'", "''")
sql = "select * from users where id = '" & id & "';"
Apparently, that would bypass the single quote guard.
Request from site: http://mysite.com/main.asp?id=1\'; DROP Table Users; --
Server Code in main.asp:
id = request("id")
id = replace(id, "'", "''")
sql = "select * from users where id = '" & id & "';"
Apparently, that would bypass the single quote guard.
Yes, backslash (escape the next character) and the use of the char() function would break that security feature. Blacklists are not the way to go. Seeing as you are expecting an integer, force the query to be an integer.
ASKER
Thanks, TurboBorland... Could you please provide me with an example of the char() concept?
Right now, I am talking strictly on Classic ASP/.NET and SQL Server. I don't care about the insecurities of PHP and MySQL at the moment. I need a good reason to explain to my boss that replacing single quotes is not enough.
Right now, I am talking strictly on Classic ASP/.NET and SQL Server. I don't care about the insecurities of PHP and MySQL at the moment. I need a good reason to explain to my boss that replacing single quotes is not enough.
Sure, let's take the example of a UNION SELECT injection being made. Also assume that we know the table names from grabbing from INFORMATION_SCHEMA.TABLES and INFORMATION_SCHEMA.COLUMNS
id=1/**/UNION/**/SELECT/**
id=1/**/UNION/**/SELECT/**
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
TurboBorland, could you provide me with a practical example for the MS-SQL code you provided? Perhaps for C# and ASP.NET or classic asp?
chek this link