SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    SQL injection without single quotes?

    I filter all single qoute characters from any input fields in my asp and php web applications. Are there any other characters or methods that can be used to manipulate the ms sql or mysql databases?

  2. #2
    SitePoint Evangelist comfixit's Avatar
    Join Date
    Dec 2004
    Location
    Pasadena
    Posts
    537
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, use double quotes.

  3. #3
    SitePoint Guru puco's Avatar
    Join Date
    Feb 2005
    Location
    Slovakia
    Posts
    785
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I guess that really depends on database you use. And are you sure that filtering the single quotes is the best solution? You should just escape them.
    Martin Pernecky

  4. #4
    SitePoint Enthusiast Sjoerd's Avatar
    Join Date
    Jun 2005
    Location
    Leimuiden, The Netherlands
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you are using single quotes in your query to put content in, you should escape single quotes, if you use double quotes, you should escape double quotes. But, to be sure bad (non consistent) programming doesn't bring safety to danger, the best thing to do is to escape both single and double quotes...

  5. #5
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    Brooklyn, NY
    Posts
    359
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If my last name is O'Reilly, you're going to store this as OReilly? How will you ever restore the data you've lost?
    Chris Shiflett
    http://shiflett.org/

  6. #6
    SitePoint Addict trogdor1024's Avatar
    Join Date
    Oct 2004
    Location
    New Jersey
    Posts
    235
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Escaping the quotes would store it as O\'Reilly, not OReilly. You would strip those escape characters upon output and it would display normally.

  7. #7
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    Brooklyn, NY
    Posts
    359
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by trogdor1024
    Escaping the quotes would store it as O\'Reilly, not OReilly.
    He said filter, but thanks for the lesson. :-)

    Quote Originally Posted by trogdor1024
    You would strip those escape characters upon output and it would display normally.
    Nope, if you ever find yourself having to reverse an escaping or encoding, you've probably screwed up somewhere. You escape output in order to preserve the raw data while in transit - special characters in the remote system to which data is sent are represented in a special way to preserve them. Thus, when you get your data back, it will no longer be in an escaped form. You should still filter it, of course, because it's input.

    Hope that helps.
    Chris Shiflett
    http://shiflett.org/

  8. #8
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    Italy
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If the argument passwd is type varchar (string) then you have to escape it \'.
    If the argument is integer (numeric) I advice you to first check if it is really an integer and then removing ";", "--". Anyway the type check is enough for integer parameters.
    Is your site secure? Get a free security scan
    pay only if vulnerable!

    Secure WebHosting


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •