Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > A lesson in SQL injection

Reply
Thread Tools

A lesson in SQL injection

 
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      10-12-2007
<http://xkcd.com/327/>
 
Reply With Quote
 
 
 
 
Shane
Guest
Posts: n/a
 
      10-12-2007
Lawrence D'Oliveiro wrote:

> <http://xkcd.com/327/>


We had this posted on the intarweb applications paper forum, good for a
laugh.

<begin speel>
We havent had any f*&^ing comment whatsoever about sanitising user input in
the whole paper, apart from the xkcd cartoon.
Thank f&%# it is being marked on in one of our assignments, otherwise there
would have been a lot [more] inept web designers out there, all with quals!
Although that doesnt mean that anyone will take notice of it
</speel>

--
Hardware: n, Parts of a computer that you can kick.
 
Reply With Quote
 
 
 
 
Peter Huebner
Guest
Posts: n/a
 
      10-13-2007
In article <feosbn$tb2$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)-a-geek.net says...
>
> > <http://xkcd.com/327/>

>
> We had this posted on the intarweb applications paper forum, good for a
> laugh.
>


It's one of my pet <groan>s that there are lots of web designers out there who
can't seem to manage to parse user input with includes punctuation from
webforms in a way that sql can handle it without spitting the dummy.

It ain't that hard .... (actually I've forgotten how to do it, I haven't done
any sql programming for nearly a decade, but I figured it out in about 1/2 an
hour when I needed to do it).

-P.

--
=========================================
firstname dot lastname at gmail fullstop com
 
Reply With Quote
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      10-13-2007
In message <(E-Mail Removed)> , Peter Huebner
wrote:

> It's one of my pet <groan>s that there are lots of web designers out there
> who can't seem to manage to parse user input with includes punctuation
> from webforms in a way that sql can handle it without spitting the dummy.
>
> It ain't that hard .... (actually I've forgotten how to do it, I haven't
> done any sql programming for nearly a decade, but I figured it out in
> about 1/2 an hour when I needed to do it).


I posted some code for C++ here
<http://www.schneier.com/blog/archives/2007/10/sql_injection_a.html>. Most
higher-level languages (e.g. Perl. Python) have nice database interfaces
that handle this sort of thing for you automatically--most of the time.
 
Reply With Quote
 
Dave Doe
Guest
Posts: n/a
 
      10-13-2007
In article <(E-Mail Removed)> ,
http://www.velocityreviews.com/forums/(E-Mail Removed)ess says...
> In article <feosbn$tb2$(E-Mail Removed)>, (E-Mail Removed)-a-geek.net says...
> >
> > > <http://xkcd.com/327/>

> >
> > We had this posted on the intarweb applications paper forum, good for a
> > laugh.
> >

>
> It's one of my pet <groan>s that there are lots of web designers out there who
> can't seem to manage to parse user input with includes punctuation from
> webforms in a way that sql can handle it without spitting the dummy.
>
> It ain't that hard .... (actually I've forgotten how to do it, I haven't done
> any sql programming for nearly a decade, but I figured it out in about 1/2 an
> hour when I needed to do it).


Well here's a reminder. You know what your expecting. Cover that, and
nothing else.

--
Duncan
 
Reply With Quote
 
Richard
Guest
Posts: n/a
 
      10-14-2007
Peter Huebner wrote:

> It's one of my pet <groan>s that there are lots of web designers out there who
> can't seem to manage to parse user input with includes punctuation from
> webforms in a way that sql can handle it without spitting the dummy.
>
> It ain't that hard .... (actually I've forgotten how to do it, I haven't done
> any sql programming for nearly a decade, but I figured it out in about 1/2 an
> hour when I needed to do it).


Ones that fail on a + in email addresses really **** me off.

what either happens is on the first submission it says not acceptable
(lies) or else it takes it and then puts the email address in the URL
without escaping the + so it becomes a separate part since + is the
separator in the URL.
 
Reply With Quote
 
Chris Lim
Guest
Posts: n/a
 
      10-14-2007
On Oct 13, 4:47 pm, Peter Huebner <(E-Mail Removed)> wrote:
> It's one of my pet <groan>s that there are lots of web designers out there who
> can't seem to manage to parse user input with includes punctuation from
> webforms in a way that sql can handle it without spitting the dummy.
>
> It ain't that hard .... (actually I've forgotten how to do it, I haven't done
> any sql programming for nearly a decade, but I figured it out in about 1/2 an
> hour when I needed to do it).


Easy. Avoid embedded SQL. Used stored procedures.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sample validation code for sql injection attact =?Utf-8?B?c3M=?= ASP .Net 4 05-09-2006 08:27 AM
Help SQL Injection Attack Question - newbie to web security Ranginald ASP .Net 10 04-27-2006 12:53 AM
SQL injection MattB ASP .Net 10 03-31-2005 05:57 PM
Protecting SQL injection attacks (text input functino) Darrel ASP .Net 9 11-11-2004 08:39 PM
SQL Injection Attacks poppy ASP .Net 4 11-03-2004 05:56 AM



Advertisments