MySQL Forums
Forum List  »  Newbie

SQL Injection
Posted by: Richard Creer
Date: November 28, 2009 10:43AM

I guess I must be missing something but I've read the dire warnings about building SQL statements dynamically and I can't see what the problem is.

Let's say I have in my (VB.net) code
"insert into employees set name = '" + userfield + "'"
and userfield is some value entered on a web page.

If userfield contains say John Smith I get
insert into employees set name = 'John Smith' and a record with name John Smith is added to the table.

If userfield contains ;drop table employees; -- I get
insert into employees set name = ';drop table employees; --' and a record with name ;drop table employees; -- is added to the table.

If userfield contains 'a;drop table employees; -- I get
insert into employees set name = 'a';drop table employees; --' then I've got a problem but equally I have a problem, albeit a different one, if userfield contains say Mike O'Connor. Then I get
insert into employees set name = 'Mike O'Connor' which gives a syntax error.

So I must have a function to double all single quotes and my code becomes
"insert into employees set name = ' + doublequotes(userfield) + "'"

For numeric and date fields you must verify that they are valid otherwise you will also get syntax errors.

So I can't figure out how, with normal good programming practise which you must use anyway else your SQL isn't going to work, baddies are going to inject their sql into mine. I look forward to being enlightened!

Options: ReplyQuote


Subject
Written By
Posted
SQL Injection
November 28, 2009 10:43AM
November 28, 2009 11:48AM
November 29, 2009 09:32AM
November 30, 2009 12:21PM
November 29, 2009 12:03AM
November 29, 2009 09:49AM
November 29, 2009 11:59AM
November 29, 2009 01:37PM
November 29, 2009 02:36PM
November 29, 2009 03:09PM
November 30, 2009 08:45AM
November 30, 2009 09:51AM
November 30, 2009 10:17AM
November 30, 2009 08:39AM
November 30, 2009 10:55AM
November 30, 2009 11:34AM
December 01, 2009 04:14AM
January 18, 2010 11:49AM
January 18, 2010 12:10PM
January 18, 2010 12:10PM
January 18, 2010 12:07PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.