?
Solved

Can I stop SQL injection by escaping characters?

Posted on 2014-07-25
10
Medium Priority
?
517 Views
Last Modified: 2014-07-29
I know that the best way to avoid SQL injection attacks is to use parameterized queries or preparedStatements in Java because there would be no string parsing that be misdirected.

However, I have an application that is 12 years old and it is just not worth the effort to re-architect the app so I can eliminate all the string concatenation.

I have seen that MySQL has a function mysql_real_escape_string()  that escapes 7 different characters:

mysql_real_escape_string() calls MySQL's library function 3. mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

So, I am wondering if that should be enough to prevent SQL injection attacks?
0
Comment
Question by:jkurant
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 86

Expert Comment

by:CEHJ
ID: 40220489
So, I am wondering if that should be enough to prevent SQL injection attacks?
How would you use that without rewriting the code?

In any case, it might help, but would not be sufficient
0
 

Author Comment

by:jkurant
ID: 40220524
i would pass any strings I was going to execute on the database server through a routine like mysql_real_escape_string() to escape the characters that could be used in an attack. That wouldn't require re-writing code, just refactoring it a bit.

If string replacement is not sufficient, I may have to re-write the app, meaning re-design it so as to not build SQL strings containing user input at all, but rather passing those strings in as arguments.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 40220537
That wouldn't require re-writing code, just refactoring it a bit.
Not sure how you can avoid rewriting or how indeed refactoring is not rewriting.

The point is, (say) nx2 effective rewriting is better than n ineffective rewriting
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:jkurant
ID: 40220621
@CEHJ: Neither of your comments contain anything like an answer to my question. If you have something helpful to add, please do.

Can anyone think of a SQL injection attack that could succeed even with escaping the following characters: \x00, \n, \r, \, ', " and \x1a
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 40220624
I have answered your question. I'm sorry you don't like the answer
0
 

Author Comment

by:jkurant
ID: 40220664
This wasn't really a yes or no question. If escaping those 7 characters will not prevent SQL injection, why won't it? What kind of attack could defeat that defense?
0
 
LVL 28

Accepted Solution

by:
dpearson earned 900 total points
ID: 40221006
If you're not willing to switch to Prepared Statements then I think your escaping function is the next best option.

I've heard that the weakness for these methods is folks coming up with clever Unicode encodings of strings - which is a hugely complex area in MySQL (the client, the server, the database and the table can all be encoding and decoding the strings in and out of UTF-8/ASCII etc as they travel) and that with the right Unicode encoding, you can bipass the ASCII-centric string escaping approaches.

So escaping your character string puts another barrier in front of an attacker, but I think proving that it's 100% injection resistant would be exceptionally hard.  It really depends how bad it would be if the data was extracted/corrupted by an attacker.  If this is for a database of where you store your MP3s I'd say you're good to go.  If  it's a corporate database of passwords, I think maybe not so good.

Doug
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 40221050
If escaping those 7 characters will not prevent SQL injection, why won't it?
This is not really the place to go into sql injection in detail, but the facts are that

a. it's not limited to just the use of escape characters
b. the set of characters you mentioned is limited

http://en.wikipedia.org/wiki/SQL_injection
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 600 total points
ID: 40221900
The Technet article SQL Injection goes to some length to explain some of the subtleties involved with SQL Injection, as well as lists the characters you should escape (they are not the same as MySQL)

And yes, I do understand that all you can do is reduce the risk, as changing your code to use Stored Procedures or parameterized queries is out of the question.
0
 

Author Closing Comment

by:jkurant
ID: 40226952
I eventually found this, which is very helpful. https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Viewers will learn how the fundamental information of how to create a table.
Suggested Courses
Course of the Month10 days, 20 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question