Sql Injection Attacks

Avoding an SQL injection attack

Page 1 of 1

2 Replies - 1674 Views - Last Post: 07 September 2002 - 11:15 PM Rate Topic: -----

#1 Resonance  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 95
  • Joined: 08-February 02

Sql Injection Attacks

Posted 07 September 2002 - 07:58 PM

This is a very important issue to consider when you're using form/url variables in databases. A user can cleverly put in SQL statements and manipulate your db server as he sees fit if you don't take the necessary precautions. I get the feeling that there are several people that aren't aware of this when they develop their apps. I crashed a page from jumptheshark.com a while back doing this and I e-mailed them about their bug. They seemed to fix it the next day but I never got a thank you!

Here are some quick tips:
If expecting integer, on script, check if it's of type int, and check if it's within boundary of integer - if it's expecting numbers from 1-20, then just make it within this boundary, if larger or less than this boundary, take necessary action.

Also check that your integers/reals that your script is expecting from the user are less/greater than than large integer/reals or whatever the max/min of the language you're using... sometimes a big or small enough number can cause the page to crash.

Strings - if its a value from a list box, only error check for those values on script... if anything else, take necessary action. If it's a string the use has to put in, check if the first chars are: ' or " or ; - also replace all <>"& with their html entities.

Here's a good document:
http://www.webmaster...com/article/794

Is This A Good Question/Topic? 0
  • +

Replies To: Sql Injection Attacks

#2 Quik  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2
  • View blog
  • Posts: 3,750
  • Joined: 06-March 01

Re: Sql Injection Attacks

Posted 07 September 2002 - 08:49 PM

nice find..

although, if you just add ' to a field, I doubt anything will happen, as most sql updates have fixed isssues such as this one?

not to mention, take a read at the comments of this article. quite interesting
Was This Post Helpful? 0
  • +
  • -

#3 Resonance  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 95
  • Joined: 08-February 02

Re: Sql Injection Attacks

Posted 07 September 2002 - 11:15 PM

Even if you add the apostrophe, you can still cleverly do an injection. I did a forum a while back in PHP, and a friend of mine was still able to manipulate some fields even though I did this. Just thought I'd mention it. :)
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1