A lesson in SQL injection

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Oct 12, 2007.

  1. <http://xkcd.com/327/>
     
    Lawrence D'Oliveiro, Oct 12, 2007
    #1
    1. Advertising

  2. Lawrence D'Oliveiro

    Shane Guest

    Lawrence D'Oliveiro wrote:

    > <http://xkcd.com/327/>


    We had this posted on the intarweb applications paper forum, good for a
    laugh.

    <begin speel>
    We havent had any f*&^ing comment whatsoever about sanitising user input in
    the whole paper, apart from the xkcd cartoon.
    Thank f&%# it is being marked on in one of our assignments, otherwise there
    would have been a lot [more] inept web designers out there, all with quals!
    Although that doesnt mean that anyone will take notice of it
    </speel>

    --
    Hardware: n, Parts of a computer that you can kick.
     
    Shane, Oct 12, 2007
    #2
    1. Advertising

  3. In article <feosbn$tb2$>, -a-geek.net says...
    >
    > > <http://xkcd.com/327/>

    >
    > We had this posted on the intarweb applications paper forum, good for a
    > laugh.
    >


    It's one of my pet <groan>s that there are lots of web designers out there who
    can't seem to manage to parse user input with includes punctuation from
    webforms in a way that sql can handle it without spitting the dummy.

    It ain't that hard .... (actually I've forgotten how to do it, I haven't done
    any sql programming for nearly a decade, but I figured it out in about 1/2 an
    hour when I needed to do it).

    -P.

    --
    =========================================
    firstname dot lastname at gmail fullstop com
     
    Peter Huebner, Oct 13, 2007
    #3
  4. In message <>, Peter Huebner
    wrote:

    > It's one of my pet <groan>s that there are lots of web designers out there
    > who can't seem to manage to parse user input with includes punctuation
    > from webforms in a way that sql can handle it without spitting the dummy.
    >
    > It ain't that hard .... (actually I've forgotten how to do it, I haven't
    > done any sql programming for nearly a decade, but I figured it out in
    > about 1/2 an hour when I needed to do it).


    I posted some code for C++ here
    <http://www.schneier.com/blog/archives/2007/10/sql_injection_a.html>. Most
    higher-level languages (e.g. Perl. Python) have nice database interfaces
    that handle this sort of thing for you automatically--most of the time.
     
    Lawrence D'Oliveiro, Oct 13, 2007
    #4
  5. Lawrence D'Oliveiro

    Dave Doe Guest

    In article <>,
    ess says...
    > In article <feosbn$tb2$>, -a-geek.net says...
    > >
    > > > <http://xkcd.com/327/>

    > >
    > > We had this posted on the intarweb applications paper forum, good for a
    > > laugh.
    > >

    >
    > It's one of my pet <groan>s that there are lots of web designers out there who
    > can't seem to manage to parse user input with includes punctuation from
    > webforms in a way that sql can handle it without spitting the dummy.
    >
    > It ain't that hard .... (actually I've forgotten how to do it, I haven't done
    > any sql programming for nearly a decade, but I figured it out in about 1/2 an
    > hour when I needed to do it).


    Well here's a reminder. You know what your expecting. Cover that, and
    nothing else.

    --
    Duncan
     
    Dave Doe, Oct 13, 2007
    #5
  6. Lawrence D'Oliveiro

    Richard Guest

    Peter Huebner wrote:

    > It's one of my pet <groan>s that there are lots of web designers out there who
    > can't seem to manage to parse user input with includes punctuation from
    > webforms in a way that sql can handle it without spitting the dummy.
    >
    > It ain't that hard .... (actually I've forgotten how to do it, I haven't done
    > any sql programming for nearly a decade, but I figured it out in about 1/2 an
    > hour when I needed to do it).


    Ones that fail on a + in email addresses really piss me off.

    what either happens is on the first submission it says not acceptable
    (lies) or else it takes it and then puts the email address in the URL
    without escaping the + so it becomes a separate part since + is the
    separator in the URL.
     
    Richard, Oct 14, 2007
    #6
  7. Lawrence D'Oliveiro

    Chris Lim Guest

    On Oct 13, 4:47 pm, Peter Huebner <> wrote:
    > It's one of my pet <groan>s that there are lots of web designers out there who
    > can't seem to manage to parse user input with includes punctuation from
    > webforms in a way that sql can handle it without spitting the dummy.
    >
    > It ain't that hard .... (actually I've forgotten how to do it, I haven't done
    > any sql programming for nearly a decade, but I figured it out in about 1/2 an
    > hour when I needed to do it).


    Easy. Avoid embedded SQL. Used stored procedures.
     
    Chris Lim, Oct 15, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    5
    Views:
    28,686
    James Harris
    Dec 27, 2005
  2. Dale

    Web Form Spammers / Email Injection Spamming

    Dale, Sep 15, 2005, in forum: Computer Security
    Replies:
    3
    Views:
    835
    Imhotep
    Sep 16, 2005
  3. Darren Green
    Replies:
    1
    Views:
    4,096
    parry26
    Feb 15, 2007
  4. Max Burke
    Replies:
    8
    Views:
    522
    Gurble
    Jul 2, 2004
  5. Graham Turner
    Replies:
    0
    Views:
    1,445
    Graham Turner
    Mar 12, 2008
Loading...

Share This Page