Web Wiz - Solar Powered Eco Web Hosting

  New Posts New Posts RSS Feed - SQL Injection
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

SQL Injection

 Post Reply Post Reply
Author
zMaestro View Drop Down
Senior Member
Senior Member


Joined: 11 May 2003
Location: Egypt
Status: Offline
Points: 1183
Post Options Post Options   Thanks (0) Thanks(0)   Quote zMaestro Quote  Post ReplyReply Direct Link To This Post Topic: SQL Injection
    Posted: 08 September 2006 at 10:28am
Hello,
What is the best way to protect my web site from SQL Injection?
I've a login area for the database, and want to know the best way i can protect t.
Thank you.
Back to Top
VBScript View Drop Down
Senior Member
Senior Member
Avatar

Joined: 14 July 2004
Location: United Kingdom
Status: Offline
Points: 219
Post Options Post Options   Thanks (0) Thanks(0)   Quote VBScript Quote  Post ReplyReply Direct Link To This Post Posted: 08 September 2006 at 7:09pm
The best things to remove are standard brackets ( and ) and square brackets [ and ].
Back to Top
Mart View Drop Down
Senior Member
Senior Member
Avatar

Joined: 30 November 2002
Status: Offline
Points: 2304
Post Options Post Options   Thanks (0) Thanks(0)   Quote Mart Quote  Post ReplyReply Direct Link To This Post Posted: 08 September 2006 at 7:49pm
Removing brackets and square brackets won't do anything. The only correct way to protect against SQL injections in providers that support it is to use paramatarised queries/stored procedures.

Are you using SQL Server, Access or MySQL?
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9791
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 09 September 2006 at 9:17am
The simplest way to solve SQL injection issues is to filter any user input that is to be used with an SQL query to remove any single quote ' characters.

There are further things you can do to protect against SQL injections but this is the simplest and most effective.
Back to Top
Scott07 View Drop Down
Groupie
Groupie


Joined: 04 July 2002
Location: United Kingdom
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Scott07 Quote  Post ReplyReply Direct Link To This Post Posted: 30 November 2006 at 11:17am
If you ever search the about this subject there are a million and one ideas about it (i am doing it for an undergraduate project).  There is a lot of people who think using code to check is a waist of time, some people think you should use regular expressions on your input, proxi filtering and all sorts. 
So far though the best rules i have found for asp are:

for all numbers used in a query use the isnumeric() function (to stop people submitting "1 OR 1=1")

for all strings remove all single quotes.

if you cant remove all single quotes because you need them you must change them to either \' or ''

if you change them to '' you must also check for \ (as this is a clever way of using the application to help you with your attack)

Dont fall into the false sence of secuiry of having proxie filtering there are easy ways round them using incorrect http request headders.

Also dont fall into the trap of using custom error pages thinking this will stop people getting data out as its still easy on a vunerable system.

Use the paramaterised queries are these are currently believe to be immune (but who knows when the crackers will find a way round).

As a limiting mechnaisum dont connect to the database as the SA account as this could resulet in the attacker executing the stored procedure that access the command line shell.

I think thats all the basic ways to avoid it, with asp its quite easy as you can do full string replaces as a build in function.
Back to Top
MrMellie View Drop Down
Senior Member
Senior Member
Avatar

Joined: 12 December 2006
Location: United Kingdom
Status: Offline
Points: 251
Post Options Post Options   Thanks (0) Thanks(0)   Quote MrMellie Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2006 at 9:30pm
In a mod I did for my Snitz forum, I used a combination of replacing non-alphanumric characters with their ascii code and used HTMLencode to change other "dangerous" characters to stuff SQL won't recognise. I believe this is secure, unless anyone can prove otherwise?
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.07
Copyright ©2001-2024 Web Wiz Ltd.


Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Policy

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2024 Web Wiz Ltd. All rights reserved.