SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    Also available in Large Si's Avatar
    Join Date
    Sep 2002
    Location
    Walsall, UK
    Posts
    1,911
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Catching illegal SQL characters

    What are the main characters to look for when inputting text into an SQL server? I'm already catching the single quote and replacing it with double single-quote but are there any more that I should be aware of?

    Thanks for any assistance on this...
    Si
    Are you a Photoshop Jedi Master? Prove it!

    Is funky house your bag? You'll love this!

    Voice
    , eyes, ears, body and hands.


  2. #2
    SitePoint Addict Avido's Avatar
    Join Date
    Jul 2003
    Location
    Kortrijk, Belgium, Europe, the world
    Posts
    203
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hm,

    if you also use PHP, perhaps you could experiment with the function addslashes(). Try to insert the whole characterset into a table after you used the addslashes() function.

  3. #3
    SQL Consultant gold trophysilver trophybronze trophy
    r937's Avatar
    Join Date
    Jul 2002
    Location
    Toronto, Canada
    Posts
    39,334
    Mentioned
    63 Post(s)
    Tagged
    3 Thread(s)
    you might also want to consider sql injection

    some good links in there, it does talk about how to check user-supplied input

    it will really open your eyes about what to look for

    it's more than what you asked for, but it's worth a read

    rudy

  4. #4
    Also available in Large Si's Avatar
    Join Date
    Sep 2002
    Location
    Walsall, UK
    Posts
    1,911
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cheers peeps - I'll have a read!
    Si
    Are you a Photoshop Jedi Master? Prove it!

    Is funky house your bag? You'll love this!

    Voice
    , eyes, ears, body and hands.


  5. #5
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,650
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Other things to check for:

    xp_ (runs extended stored procedures)
    DROP TABLE
    DROP INDEX (etc, etc)
    ; (used to concatonate sql statements)
    1=1 (often used in SQL injections)

    Of course, you will need to loosen requirements as appropriate.

    And, since you have the SQL server securty abailiable, the best defense is to use the rule of least permissions. Your web stuff should definitely not be logging in as SA. They should be logging in as a very limited webuser, with access to only the stored procs and views they need, with no direct access to table and no powers to create objects, etc.

    WWB


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •