[ic] sql filter not 100% safe for MySQL
Mike Heins
mike at perusion.com
Sat Jul 24 13:42:23 EDT 2004
Quoting John1 (list_subscriber at yahoo.co.uk):
> On Saturday, July 24, 2004 4:12 PM, mike at perusion.com wrote:
>
> > Quoting John1 (list_subscriber at yahoo.co.uk):
> >> The sql filter doubles up and single quotes to avoid single quotes
> >> ruining a query and protect against sql injection.
> >>
> >> However, as you may also escape single quotes i.e. \' it is still
> >> possible to trip up a query.
> >
> > You shouldn't mix and match the two. You should do either or.
> >
> Thanks for your reply Mike - it's not that *I* would mix and match the two,
> I am really just pointing out that it is still possible to inject SQL even
> if all user input is run through the sql filter. Unless I am
> misunderstanding something??
Aha. Yes, this makes sense.
>
> What I am saying is that \'' (a backslash followed by 2 single quotes) is
> converted by the sql filter into:
>
> \''''
>
> This is then interpreted by MySQL as 1 escaped quote, followed by 2 single
> quotes (i.e. another escaped quote), followed by 1 single quote. So it is
> possible to "sneak" a "close quote" through the sql filter by mixing and
> matching \' and ''.
>
> e.g. Say that a user put the following in a search box:
>
> something\'';drop database somedatabase
>
> Then if this were passed through the sql filter you would get:
>
> something\'''';drop database somedatabase
>
> Then, the query passed via a query tag might be:
>
> SELECT field1, field2 from products WHERE description='something\'''';drop
> database somedatabase
>
> Perhaps [query] won't execute 2 SQL statements separated by a semi-colon?
> So perhaps there is no risk of SQL injection?? But, it is possible to
> create a bad SQL statement in this way and so generate an error.
Query will not execute two statements, but it would certainly be possible
to create a subquery situation.
I wonder if MySQL has a way to ensure that \' is not interpreted
as a single quote? That would be the best way to solve this.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.647.1295 tollfree 800-949-1889 <mike at perusion.com>
Fast, reliable, cheap. Pick two and we'll talk. -- unknown
More information about the interchange-users
mailing list