[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    Re: Strange beaviour in sql injection
From:       Mariusz Pekala <skoot () poczta ! onet ! pl>
Date:       2002-11-30 20:26:20
[Download RAW message or body]

Dennis Hurst (wto 29. październik 2002 15:06):
> The proper way to do it would have been:
> 	if IsNumeric(Request("passedID")) then
> 		'all is well, build the SQL
> 		sSql = "select * from myTable where ID = " &
> cstr(clng(Request("passedID")))
> 		'do some database stuff here
> 	else
> 		'go away, your doing something bad....
> 	end if
>
>
> Using the cstr(CLng()) functions will convert it to a numeric and back
> again, effectively
> Removing the SQL Injection.

Why not using a regular expression on raw request data?

/^[0-9]{1,8}$/ (or similiar, depends on language of the application) should
ensure that you'r dealing with numeric. (integer, if that's what you need).

I may be wrong, or may not understand it all, but I would rather not trust
functions that convert. They sometimes ignore/modify/guess.
If I check that the string my webapp received contains only numbers, and not
more than 9, then I may be SURE that there is no SQL injection here.

(Be gentle if I am saying something stupid or didn't understood what was
 going on :-))) )

[prev in list] [next in list] [prev in thread] [next in thread]