SQL injection
Results 1 to 4 of 4

Thread: SQL injection

  1. #1

    Question SQL injection

    With respect to SQL strings:

    Why is it not suffitient enough to replace an apostrophe ' with a quotation mark " ? Where ever I read about this, it is said that one apostrophe has to replaced with two. I understand all about string beginings and endings, but if one apostrophe is replaced by a quotation mark, whay can it be abused?

    Thanks so much.

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    It can't, but you're altering data then...

    Let's say you look at my previous sentence using your suggestion:
    Code:
    It can"t, but you"re altering data then...
    and then as I wrote it:
    Code:
    It can't, but you're altering data then...
    SQL standards dictate that two apostrophes inside a quoted string are to be treated as a single apostrophe, as a way of letting people use english conjunctions (among other things) in their database records.

    It's not less secure, but it creates inaccurate data.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    It's worth noting that on Microsoft Access, there are characters other than quotes which must be escaped before you have a secure application.

    I don't claim to know them all, but the pipe character (|) is definitely one of them. I don't know the correct procedure to escape it.

    I do know that there are a lot of exploits for this, including ones which under some circumstances lead to a remote compromise of either LocalSystem or IWAM_MACHINENAME. I have successfully exploited it in a test environment.

    If you want a secure application, do not use Microsoft Access as a web database.

    Cheers
    Slarty

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Slarty, I've heard what you're talking about, and I believe you escape it the same way you escape a single quote -- that is double up on them. So you just need to replace all instances of | with || and it should be ok.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •