[prev in list] [next in list] [prev in thread] [next in thread]
List: webappsec
Subject: Re: Strange beaviour in sql injection
From: Mariusz Pekala <skoot () poczta ! onet ! pl>
Date: 2002-11-30 20:26:20
[Download RAW message or body]
Dennis Hurst (wto 29. październik 2002 15:06):
> The proper way to do it would have been:
> if IsNumeric(Request("passedID")) then
> 'all is well, build the SQL
> sSql = "select * from myTable where ID = " &
> cstr(clng(Request("passedID")))
> 'do some database stuff here
> else
> 'go away, your doing something bad....
> end if
>
>
> Using the cstr(CLng()) functions will convert it to a numeric and back
> again, effectively
> Removing the SQL Injection.
Why not using a regular expression on raw request data?
/^[0-9]{1,8}$/ (or similiar, depends on language of the application) should
ensure that you'r dealing with numeric. (integer, if that's what you need).
I may be wrong, or may not understand it all, but I would rather not trust
functions that convert. They sometimes ignore/modify/guess.
If I check that the string my webapp received contains only numbers, and not
more than 9, then I may be SURE that there is no SQL injection here.
(Be gentle if I am saying something stupid or didn't understood what was
going on :-))) )
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic