Geek Answers Handbook

ReplaceAll quotes with backslashes - is that enough?

I use replaceAllto replace single quotes with "\\\\'"a colleague's suggestion, but I'm sure this is not enough to prevent all SQL injections.

I did some search queries and found this: http://wiki.postgresql.org/wiki/8.1.4_et._al._Security_Release_Technical_Info

This explains this for PostgreSQL, but does this not replace work for all SQL managers? (For example, MySQL, for example?)

Also, I think I understand how the explanation that I linked works for a single backslash, but does this apply to my situation when I use four backslashes?

Please note that I am not very familiar with databases and how they analyze input, but this is my chance to learn more! Any insight would be appreciated.

Edit: I got some helpful, helpful answers. My next question is: what input might break my implementation? That is, if you give me input, and I add all single quotes with four backslashes, what input would you give me to enter the SQL code? Although I am convinced that my approach is naive and wrong, perhaps some examples will teach me better how to easily introduce SQL against my “prevention”.

+5
source share
3 answers

, ? , ' \', \' \\', . mysql mysql_real_escape_string(), , MySQL.

. , . php : $query="select * from user where id=".$_GET[id];

PoC : http://localhost/vuln.php?id=sleep(10)

mysql_real_escape_string($_GET[id]), sqli, , sql. - .

+2

.

, . , , SQL . - SQL. .

, , SQL . ORM. , SQL-, , , , , : , , .

+2

SQL ( ):

name = form_params["name"]
year = 2011
sql = "INSERT INTO Students (name, year) " + 
      "VALUES ('" + name + "', " + year + ");"
database_handle.query(sql)

year , , ; - .

name , . Bobby Tables :

name = "Robert'); DROP TABLE Students; -- "


INSERT INTO Students (name, year) VALUES ('Robert');
DROP TABLE Students; -- ', 2011);

.

- , , . , . -- , .

, - .

:

name = form_params["name"].regex_replace("'", "\\\\'")

, , . "\\\\'" \\'. regex_replace \'.

... VALUES ('Robert\'); DROP TABLE Students; -- ', 2011);

.

. , , \\ \, \\ \ ( $1 \1 ) ,

... VALUES ('Robert\\'); DROP TABLE Students; -- ', 2011);

SQL- .

, , , , , , . :

  • , , , , :

    sql = "... '" + database_handle.escape(name) + "' ..."

  • ( ), , :

    sql = "... VALUES (:n, :y);"
    database_handle.query(sql, n = name, y = year)

+1

More articles:


All Articles