MySQL Forums :: Newbie :: SQL Injection


Advanced Search

SQL Injection
Posted by: Richard Creer ()
Date: November 28, 2009 10:43AM

I guess I must be missing something but I've read the dire warnings about building SQL statements dynamically and I can't see what the problem is.

Let's say I have in my (VB.net) code
"insert into employees set name = '" + userfield + "'"
and userfield is some value entered on a web page.

If userfield contains say John Smith I get
insert into employees set name = 'John Smith' and a record with name John Smith is added to the table.

If userfield contains ;drop table employees; -- I get
insert into employees set name = ';drop table employees; --' and a record with name ;drop table employees; -- is added to the table.

If userfield contains 'a;drop table employees; -- I get
insert into employees set name = 'a';drop table employees; --' then I've got a problem but equally I have a problem, albeit a different one, if userfield contains say Mike O'Connor. Then I get
insert into employees set name = 'Mike O'Connor' which gives a syntax error.

So I must have a function to double all single quotes and my code becomes
"insert into employees set name = ' + doublequotes(userfield) + "'"

For numeric and date fields you must verify that they are valid otherwise you will also get syntax errors.

So I can't figure out how, with normal good programming practise which you must use anyway else your SQL isn't going to work, baddies are going to inject their sql into mine. I look forward to being enlightened!

Options: ReplyQuote


Subject Written By Posted
SQL Injection Richard Creer 11/28/2009 10:43AM
Re: SQL Injection Peter Brawley 11/28/2009 11:48AM
Re: SQL Injection Richard Creer 11/29/2009 09:32AM
Re: SQL Injection Peter Brawley 11/30/2009 12:21PM
Re: SQL Injection Rick James 11/29/2009 12:03AM
Re: SQL Injection Richard Creer 11/29/2009 09:49AM
Re: SQL Injection Peter Brawley 11/29/2009 11:59AM
Re: SQL Injection Richard Creer 11/29/2009 01:37PM
Re: SQL Injection Peter Brawley 11/29/2009 02:36PM
Re: SQL Injection Rick James 11/29/2009 03:09PM
Re: SQL Injection Richard Creer 11/30/2009 08:45AM
Re: SQL Injection Rick James 11/30/2009 09:51AM
Re: SQL Injection Richard Creer 11/30/2009 10:17AM
Re: SQL Injection Richard Creer 11/30/2009 08:39AM
Re: SQL Injection Peter Brawley 11/30/2009 10:55AM
Re: SQL Injection Richard Creer 11/30/2009 11:34AM
Re: SQL Injection Pete Wilson 12/01/2009 04:14AM
Re: SQL Injection Richard Creer 01/18/2010 11:49AM
Re: SQL Injection Peter Brawley 01/18/2010 12:10PM
Re: SQL Injection laptop alias 01/18/2010 12:10PM
Re: SQL Injection Peter Brawley 01/18/2010 12:07PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.