InstantASP Community Forums
Home       Members    Calendar    Who's On
Welcome Guest ( Login | Register )
        

Home » Old Forums » InstantKB.NET 1.x » SQL term "washer"
SQL term "washer" Expand / Collapse
Author
Message
Posted 12/04/2006 01:39:27


Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Customers
Last Login: 27/09/2008 09:59:43
Posts: 47, Visits: 248
IKB has a routine that deletes certain SQL related terms from a string - notably used in Ask a Question and in the search strings.

Does anybody know of exploits that actually use form entries to run mal-SQL?

I'm thinking of getting rid of this routine on our KB because our business deals in scripts and updates, and those are 2 of the terms it just deletes. Makes it quite interesting to read user questions

Not to mention that our head of support wasn't pleased when an exact text search for "Windows Update" didn't return an article he knew existed!

Charles

Post #10614
Posted 17/04/2006 05:53:55


Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Customers
Last Login: 07/07/2008 13:36:28
Posts: 84, Visits: 3,296
SQL Injection can happen with any user inputted data. But "washing" the string is not the best solution, although common.

The best solution is to pass all user inputted data to a Stored Procedure, and run it there.

I'm not too familiar with the forum code, but I'm assuming they are trying to prevent SQL Injection....

Post #10650
Posted 17/04/2006 14:47:35


Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Customers
Last Login: 27/09/2008 09:59:43
Posts: 47, Visits: 248
Sure it can happen.  Although with the input being treated as values (broken up, quotes fixed, and/or quoted before any statement is run), it would take considerable crafting to get any use out of it. You certainly wouldn't get any issue by accident.

And the input is in fact passed to a SP as well. 

I was curious as to whether this was a response to a specific issue, or just general paranoia.

Charles

Post #10656
Posted 18/04/2006 05:58:36


Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Customers
Last Login: 07/07/2008 13:36:28
Posts: 84, Visits: 3,296
good question...in my opinion the strings don't need to be washed if they are being passed to an SP...

But they should be washed for logins, password forget pages, etc - that's where most brute force/SQL Injection takes place...but even then, if it's being passed to a stored procedure, I would only wash words like "select, union, shutdown, etc".....ya know, the obvious stuff...

Post #10658
« Prev Topic | Next Topic »

Reading This Topic Expand / Collapse
Active Users: 0 (0 guests, 0 members, 0 anonymous members)
No members currently viewing this topic.
Forum Moderators: Ryan Healey, Mark Christianson, James Trott

Permissions Expand / Collapse

All times are GMT, Time now is 5:48pm

Powered by InstantForum.NET v4.1.4 © 2009
Execution: 0.172. 10 queries. Compression Disabled.
Home | Products | Purchase | Support | Company | Contact Us
Privacy Statement | © 1999-2007 InstantASP Limited. All Rights Reserved.