SQL injection

[Surreal]

With respect to SQL strings:

Why is it not suffitient enough to replace an apostrophe ' with a quotation mark " ? Where ever I read about this, it is said that one apostrophe has to replaced with two. I understand all about string beginings and endings, but if one apostrophe is replaced by a quotation mark, whay can it be abused?

Thanks so much.

[chsh]

It can't, but you're altering data then...

Let's say you look at my previous sentence using your suggestion:

Code:

It can"t, but you"re altering data then...

and then as I wrote it:

Code:

It can't, but you're altering data then...

SQL standards dictate that two apostrophes inside a quoted string are to be treated as a single apostrophe, as a way of letting people use english conjunctions (among other things) in their database records.

It's not less secure, but it creates inaccurate data.

[slarty]

It's worth noting that on Microsoft Access, there are characters other than quotes which must be escaped before you have a secure application.

I don't claim to know them all, but the pipe character (|) is definitely one of them. I don't know the correct procedure to escape it.

I do know that there are a lot of exploits for this, including ones which under some circumstances lead to a remote compromise of either LocalSystem or IWAM_MACHINENAME. I have successfully exploited it in a test environment.

If you want a secure application, do not use Microsoft Access as a web database.

Cheers
Slarty

[chsh]

Slarty, I've heard what you're talking about, and I believe you escape it the same way you escape a single quote -- that is double up on them. So you just need to replace all instances of | with || and it should be ok.