-
March 1st, 2002, 03:05 PM
#1
Member
SQL injection
With respect to SQL strings:
Why is it not suffitient enough to replace an apostrophe ' with a quotation mark " ? Where ever I read about this, it is said that one apostrophe has to replaced with two. I understand all about string beginings and endings, but if one apostrophe is replaced by a quotation mark, whay can it be abused?
Thanks so much.
-
March 1st, 2002, 04:50 PM
#2
It can't, but you're altering data then...
Let's say you look at my previous sentence using your suggestion:
Code:
It can"t, but you"re altering data then...
and then as I wrote it:
Code:
It can't, but you're altering data then...
SQL standards dictate that two apostrophes inside a quoted string are to be treated as a single apostrophe, as a way of letting people use english conjunctions (among other things) in their database records.
It's not less secure, but it creates inaccurate data.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
March 1st, 2002, 10:51 PM
#3
It's worth noting that on Microsoft Access, there are characters other than quotes which must be escaped before you have a secure application.
I don't claim to know them all, but the pipe character (|) is definitely one of them. I don't know the correct procedure to escape it.
I do know that there are a lot of exploits for this, including ones which under some circumstances lead to a remote compromise of either LocalSystem or IWAM_MACHINENAME. I have successfully exploited it in a test environment.
If you want a secure application, do not use Microsoft Access as a web database.
Cheers
Slarty
-
March 1st, 2002, 11:02 PM
#4
Slarty, I've heard what you're talking about, and I believe you escape it the same way you escape a single quote -- that is double up on them. So you just need to replace all instances of | with || and it should be ok.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|