Escaping Strings to Prevent SQL Injection

Forum Moderators: open

Message Too Old, No Replies

Escaping Strings to Prevent SQL Injection

What would you parse out of user submitted values?

Demaestro

7:26 pm on Oct 31, 2007 (gmt 0)

So I have a totally custom site that is passing some user defined vars to procedures that pass them to SQL.

This is not PHP and there are no pre-built libraries or anything like that.

I am writing a script that will be called on all variables passed to any sql.

So far I am replacing ' with ''

All that is is doubling up single quotes.... but other then that what else should I be looking for?

What about:

' or = '

Should I worry about these types of things or will doubling up that single quote take care of it?

What about:

''' or = '

Anybody have a list of things to parse out before handing variables to SQL methods?

[edited by: Demaestro at 7:27 pm (utc) on Oct. 31, 2007]

jdMorgan

8:22 pm on Oct 31, 2007 (gmt 0)

Some basic security advice: Do not think about what to reject, think about what you will allow.

While this sounds like the same thing in different words, it's really all about attitude. Consider the effects of an error of omission in each case: If you forget something using the "what do I reject" approach, you get hacked. If you forget something using the "what do I allow" approach, then you have a few database problems, easily identifiable in testing.

Jim

jatar_k

8:24 pm on Oct 31, 2007 (gmt 0)

special chars for your flavour of db is a start

and following Jim's advice

Demaestro

3:59 pm on Nov 1, 2007 (gmt 0)

That is actually good advise JD thanks.

It follows the same mantra I follow for testing. Which is...

Don't try to prove it works, try to prove it doesn't.

joelgreen

6:10 pm on Nov 1, 2007 (gmt 0)

PHP has mysql_real_escape_string for MySQL. It escapes \x00, \n, \r, \, ', " and \x1a

Looks like at least these chars must be escaped before using values in sql statement