Menu
Can anyone show an EXAMPLE of a sql statement when SQL Injection occurred even after all "single-quote" and "dash characters" have been stripped out of the user's input?
SELECT MyRecord FROM MyTable
WHERE MyEmail='[email protected]' AND MyPassword='foo'
(No INTs are involved here.)
Everyone seems to say "yes, I can do it"... but when they are pressed for an e-x-a-m-p-l-e... none of ever shown.
(You can use any version, new or old, of any sql engine: SQL Server, MySql, SqlLite, PostgreSQL, Oracle and countless others.)
706
Single quoted strings are the easiest way to specify string. This method in used when we want to the string to be exactly as it is written. When string is specified in single quotes PHP will not evaluate it or interpret escape characters except single quote with backslash (') and backslash(\) which has to be escaped .
How to Prevent an SQL Injection. The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
The simplest method to escape single quotes in SQL is to use two single quotes. For example, if you wanted to show the value O'Reilly, you would use two quotes in the middle instead of one. The single quote is the escape character in Oracle, SQL Server, MySQL, and PostgreSQL.
Single quotes are used to indicate the beginning and end of a string in SQL. Double quotes generally aren't used in SQL, but that can vary from database to database. Stick to using single quotes.
How have you "stripped out of the user's input"? If you have simply removed all occurrences of quotes, then that really isn't Fair for susan.o'[email protected] who won't be able to use your website.
If you are escaping each quote with another quote that can cause problems as well. If you passed in \'; DROP TABLE users; -- (at least in MySQL \' is an alternative for escaping quotes) then escaping the single quote would result in an SQL injection attack that would drop the users table:
SELECT MyRecord FROM MyTable
WHERE MyEmail='\''; DROP TABLE MyTable; --' AND MyPassword='foo'
the only real safe method of sanitizing your inputs is By parameterising them:
SELECT MyRecord FROM MyTable
WHERE MyEmail=? AND MyPassword=?
and then add the parameter values using you language of choice, for example in java where ps is a PreparedStatement:
ps.setString(1, "[email protected]");
ps.setString(2, "foo");
ps.executeQuery();
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
