Solved

Replacing Single Quotes - Still SQL Injection Issue?

Posted on 2009-07-09
8
2,195 Views
Last Modified: 2013-11-16
I have a quick question about SQL Injections... I want to know if replacing single quotes with extra single quotes is enough to prevent SQL Injections from QueryString-based database calls.

For example: http://www.mywebsite.com/viewPage.asp?id=1
Assume the following on the backend:
<%
dim id, rs
id = request("id")
id = replace(id, "'", "''")
set rs = getResults(id)
...
%>

Is this secure enough to prevent malicious attacks?
0
Comment
Question by:Unionblitz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 14

Expert Comment

by:shru_0409
ID: 24814036
0
 
LVL 75

Expert Comment

by:Aneesh Retnakaran
ID: 24814313
Hello Unionblitz,
Avoiding the use of dynamic sql prevents them, if you want to have dynamic sql, use parameterised dynamic sql


Regards,

Aneesh
0
 

Author Comment

by:Unionblitz
ID: 24814864
I'm familiar with stored procedures and parameterized SQL (PHP, etc).  I just couldn't find a way to break the replace(SQL, [single quote], [single quote][single quote]).  shru 0409 provided a link that kind of went over a way to break it (I haven't tried it yet though).

Request from site: http://mysite.com/main.asp?id=1\'; DROP Table Users; --

Server Code in main.asp:
id = request("id")
id = replace(id, "'", "''")
sql = "select * from users where id = '" & id & "';"

Apparently, that would bypass the single quote guard.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:TurboBorland
ID: 24818263
Yes, backslash (escape the next character) and the use of the char() function would break that security feature.  Blacklists are not the way to go.  Seeing as you are expecting an integer, force the query to be an integer.
0
 

Author Comment

by:Unionblitz
ID: 24819113
Thanks, TurboBorland... Could you please provide me with an example of the char() concept?  

Right now, I am talking strictly on Classic ASP/.NET and SQL Server.  I don't care about the insecurities of PHP and MySQL at the moment. I need a good reason to explain to my boss that replacing single quotes is not enough.
0
 
LVL 4

Expert Comment

by:TurboBorland
ID: 24819637
Sure, let's take the example of a UNION SELECT injection being made.  Also assume that we know the table names from grabbing from INFORMATION_SCHEMA.TABLES and INFORMATION_SCHEMA.COLUMNS.
      id=1/**/UNION/**/SELECT/**/TOP/**/1/**/password/**/FROM/**/admin_table/**/where/**/login_name=char(0x556e696f6e626c69747a)--    The name inside of char() is your name, hex encoded.  It conveniently bypasses the need to use quotes.  Now, the char() function would be useful to add to your query, while the backslash would be the easiest to end your current query and execute another one (like you're example of 1\'; next query;--.
0
 
LVL 4

Accepted Solution

by:
TurboBorland earned 50 total points
ID: 24819641
Sorry, that was MySQL.  Here's MS-SQL:  CHAR(85)+CHAR(110)+CHAR(105)+CHAR(111)+CHAR(110)+CHAR(98)+CHAR(108)+CHAR(105)+CHAR(116)+CHAR(122)
0
 

Author Comment

by:Unionblitz
ID: 24869966
TurboBorland, could you provide me with a practical example for the MS-SQL code you provided?  Perhaps for C# and ASP.NET or classic asp?
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post looks at MongoDB and MySQL, and covers high-level MongoDB strengths, weaknesses, features, and uses from the perspective of an SQL user.
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question