Solved

Is it possible to prevent SQL-injections solely by filtering out specific characters

Posted on 2011-09-26
7
258 Views
Last Modified: 2012-05-12
Is rigourous filtering of characters a possible way to prevent SQL-injections? I understand that filtering means that you lose functionality as special characters can be a valid part of a valid string.

I also understand that parametrisized is the (generally accepted) best way to go.

0
Comment
Question by:Alfahane
7 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 36598514
Special characters should always be allowed, but you need to ensure that they are encoded/decoded before you use them for building a query.

e.g, imagine somebody entering the following input into a string field:

john doe"; drop database customer;

Open in new window


without escaping, this might seriously harm your database ;)

You need to make sure to sanitize any input to a web form (or GET variable value) before handing it to your database. In PHP, you could use functions like "mysql_real_escape_string" to "fix" the input so that any legitimate information can be searched for; in this example, it would ensure that plain concatenation of the string to the query would be safe for execution ..
0
 
LVL 22

Expert Comment

by:dportas
ID: 36713078
You could filter out special characters but you generally shouldn't. Passing your inputs as parameters is the best way to avoid SQL injection.
0
 

Author Comment

by:Alfahane
ID: 37106665
Yes, passing as parameters is the best. However, still need to investigate character filtering for an old system that will be shut down but need higher security without changing all queries to parametrized.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 17

Expert Comment

by:Garry-G
ID: 37106716
Is it available in source? How many pages are there that get input from forms? I doubt there's some "silver bullet" that will be able to fix the problem for you ... at least not for little or no money and without work ...
Theoretically, an IDS or application firewall could be set up to look for and block certain sequences, but will require some in-depth understanding of what is permitted and safe, and how to set up the system ...
0
 

Author Comment

by:Alfahane
ID: 37106742
Ok, so there is not a list with characters and pose a threat?
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
ID: 37107045
Well, anything that might terminate a string (` ´ ' "), backslash (\), semicolon (;) come to mind ... anyway, they may be perfectly legitimate at times, so filtering all occurrences may be as bad as not filtering them ... e.g. somebody may have the name "O'Hara" - do you want to forbid him to type his name? Or a description of some item might have a ";" in it ...
Of course you can narrow it down a bit if you know the code - e.g., if you're certain all strings for SQL queries always are made with double quotes ("), you could limit filtering to just that character, allowing the other single quotes. I can't imagine many uses of the backslash, so not allowing that shouldn't hurt too much. The semicolon will mostly hurt in combination with the quotes, so if you've taken care of the quotes-problem, the semicolon shouldn't be much of a problem anymore ...
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37260640
I think its important for me to add info here. Its not safe by any means to leave single quotes in. If you absolutely need too. Make sure you filter for those and add a (\) to each single quote so as to not execute a command for your SQL database, this can be achieved by using "addslashes()". Thought if you dont need those quotes at all. I would disable the option "magic_quotes_gpc" that is on by default. You should use "mysql_real_escape_string" or "mysqli_real_escape_string" to escape variables or query's before executing it before anything that has a user definable variable can reach the SQL query. Also note that you need to filter for XSS attacks as well. You can read more about a few other attacks here and fixes for those attacks Foiling cross site forgery. Good luck!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SQL anywhere 11 databases 1 82
Runtime 3044 error 14 43
Sql Join Problem 2 43
multiple application databases same MSSQL instance 5 53
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question