Re: SQL Injection in HTML DB prevention

• From: david wendelken <davewendelken@xxxxxxxxxxxxx>
• To: oracle-l@xxxxxxxxxxxxx
• Date: Mon, 18 Apr 2005 11:39:24 -0700 (PDT)

Using your approach, a user doing a search for an employee named Maureen O'Hara 
would never find a match.
Your page would issue a search for Maureen OHara and not find a match.

A simple replace function will not understand the difference between syntax 
punctuation and data punctuation inside a quoted string.  You'll need a smarter 
custom parsing function for that.

I don't think that's what you are aiming for.

You're concerned that your page, along with a sneaky user, would issue a 
statement like this:

select * from some_table
where 1 = 1; delete some_other_table;

And somehow, both statements would get issued?  Depends on the back-end code, 
but doesn't seem too likely.
You could test for it to make sure.

Or:

select aa,bb from some_table
where 1 = 1 union all select id, password from some_userpassword_table;

This one would be more likely.  Making sure a union isn't in the statement 
would prevent that.
Of course, it would also prevent legitimate uses of a union (assuming that 
there are any).

Hope this helps.








--
//www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • RE: SQL Injection in HTML DB prevention
    • From: Lex de Haan

Other related posts:

• » SQL Injection in HTML DB prevention
• » Re: SQL Injection in HTML DB prevention
• » RE: SQL Injection in HTML DB prevention
• » RE: SQL Injection in HTML DB prevention
• » Re: SQL Injection in HTML DB prevention
• » RE: SQL Injection in HTML DB prevention

1. Home
2. oracle-l
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---