Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SQL Injection after removing all single-quotes and dash-characters

Can anyone show an EXAMPLE of a sql statement when SQL Injection occurred even after all "single-quote" and "dash characters" have been stripped out of the user's input?

SELECT MyRecord   FROM MyTable   
WHERE MyEmail='[email protected]' AND MyPassword='foo'

(No INTs are involved here.)

Everyone seems to say "yes, I can do it"... but when they are pressed for an e-x-a-m-p-l-e... none of ever shown.

(You can use any version, new or old, of any sql engine: SQL Server, MySql, SqlLite, PostgreSQL, Oracle and countless others.)

like image 706
Susan Avatar asked Apr 02 '11 03:04

Susan


People also ask

Why is single quote used in SQL injection?

Single quoted strings are the easiest way to specify string. This method in used when we want to the string to be exactly as it is written. When string is specified in single quotes PHP will not evaluate it or interpret escape characters except single quote with backslash (') and backslash(\) which has to be escaped .

How can SQL injection be prevented?

How to Prevent an SQL Injection. The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

How do I bypass a single quote in SQL?

The simplest method to escape single quotes in SQL is to use two single quotes. For example, if you wanted to show the value O'Reilly, you would use two quotes in the middle instead of one. The single quote is the escape character in Oracle, SQL Server, MySQL, and PostgreSQL.

Does SQL allow double quotes?

Single quotes are used to indicate the beginning and end of a string in SQL. Double quotes generally aren't used in SQL, but that can vary from database to database. Stick to using single quotes.


1 Answers

How have you "stripped out of the user's input"? If you have simply removed all occurrences of quotes, then that really isn't Fair for susan.o'[email protected] who won't be able to use your website.

If you are escaping each quote with another quote that can cause problems as well. If you passed in \'; DROP TABLE users; -- (at least in MySQL \' is an alternative for escaping quotes) then escaping the single quote would result in an SQL injection attack that would drop the users table:

SELECT MyRecord FROM MyTable
WHERE MyEmail='\''; DROP TABLE MyTable; --' AND MyPassword='foo'

the only real safe method of sanitizing your inputs is By parameterising them:

SELECT MyRecord FROM MyTable
WHERE MyEmail=? AND MyPassword=?

and then add the parameter values using you language of choice, for example in java where ps is a PreparedStatement:

ps.setString(1, "[email protected]");
ps.setString(2, "foo");
ps.executeQuery();
like image 81
krock Avatar answered Oct 12 '22 12:10

krock