SQL injection attacks

Posted Mar 31, 2006 16:56 UTC (Fri) by dps (guest, #5725)
Parent article: SQL injection attacks

There is a simpler fix, which also stops other attacks too... do proper input validation---if something is suppsesd to be a number, make sure it really is. Numbers like "1 OR 1=1" (without the quotes) can do evil things in contexts expecting numbers. Input validation stops that too.

Using magic_quote_qpc, SQL syntax randomisation, etc are all useful backstops in case you somehow fail to properly validate something. I have my doutbs about the security of stored procedures when fed evil input, unless handling it safely is a primary design goal.

Sadly there is no agreement about parameters in prepared statements. ODBC and MySQL wants ?. Postgresql want $1, $2, etc and oracle accept $<almost anythihg>. (This sort of thing is one of the "joys" of writng multiple database server SQL.)

SQL injection attacks

Posted Apr 1, 2006 13:35 UTC (Sat) by holstein (guest, #6122) [Link]

As other have pointed out, '1 OR 1=1' can be a valid password. Or at least, a validating routine for valid password should accept this; something like '1hotguys = 1' is a valid password...

So, input validation is not a silver bullet; it's just a step in the journey.

Using a stored procedure help because the data will be used just as it is: data. You can't turn the input in a variation of the execute query (at least, note easily). Of course, bad data could trigger other kind of problems (like, say, a buffer overflow attack on the RDBMS).

A for the syntax for placeholders in prepared statements, with the Perl DBI at least, the syntax is the same for every RDBMS. And having worked with MySQL, Oracle and SQLite with PHP, I don't recall having seen different syntax used; maybe it was because I was not using the 'direct' API (like mysql_xx, oc8_xx, etc.) but instead using abstraction layer, like PEAR DB. But if you are writing multiple database server application, I would guess that this is a 'sine qua none' condition. At least for me!