Understanding injection attacks

#11

Le 06/10/2010 10:50, Lothar Kimmeringer a écrit :

Quote:

Simon Brooke wrote:

So I'm considering building up a query in a string buffer, with clauses
like the following:

String author = context.getValueAsString( Book.AUTHORFN );

if ( author != null ) {
/* do something to sanitise the input */
query.append( " and author like '%" ).append( author ).append( "%'" );
}

query.append(" and author like ?")
parameters.add(new MyParameterInfo(MyParameterInfo.TYPE_STRING,
"%" + author + "%");

You still have injection issues here, the user can enter % and _
for himself but that only affects the results not the statement
itself.

I see another possibility of injection with a string containing
"\';INSERT... --"
So if you simply replace ' by '' in your example you will have :
and author like '%\'';INSERT...--'
So the INSERT (or what you want) will be executed

Quote:

But do all SQL injection attacks depend simply on this trick, or are
there other tricks I need to defend against? In the particular instance,
the database is Postgres 8, but I'd like to have a general understanding
and a general solution.

#12

On 06-10-2010 05:40, bcar wrote:

Quote:

Le 06/10/2010 10:50, Lothar Kimmeringer a écrit :
Simon Brooke wrote:

So I'm considering building up a query in a string buffer, with clauses
like the following:

String author = context.getValueAsString( Book.AUTHORFN );

if ( author != null ) {
/* do something to sanitise the input */
query.append( " and author like '%" ).append( author ).append( "%'" );
}

query.append(" and author like ?")
parameters.add(new MyParameterInfo(MyParameterInfo.TYPE_STRING,
"%" + author + "%");

You still have injection issues here, the user can enter % and _
for himself but that only affects the results not the statement
itself.

I see another possibility of injection with a string containing
"\';INSERT... --"
So if you simply replace ' by '' in your example you will have :
and author like '%\'';INSERT...--'
So the INSERT (or what you want) will be executed

Usually the JDBC driver will reject that.

Multiple SQL statements in a single execute is usually not supported.

Arne

#13

bcar wrote:

Quote:

Le 06/10/2010 10:50, Lothar Kimmeringer a écrit :

query.append(" and author like ?")
parameters.add(new MyParameterInfo(MyParameterInfo.TYPE_STRING,
"%" + author + "%");

You still have injection issues here, the user can enter % and _
for himself but that only affects the results not the statement
itself.

I see another possibility of injection with a string containing
"\';INSERT... --"
So if you simply replace ' by '' in your example you will have :
and author like '%\'';INSERT...--'
So the INSERT (or what you want) will be executed

No, because the escaping of all relevant characters will take
place in (or is at least the responsibility of) the JDBC-driver
when setting the parameter using setString(...)

So above text will actually be searched for in the database
leading to (most likely) zero results.

Regards, Lothar
--
Lothar Kimmeringer E-Mail: spamfang (AT) kimmeringer (DOT) de
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

#14

Le 07/10/2010 13:54, Lothar Kimmeringer a écrit :

Quote:

No, because the escaping of all relevant characters will take
place in (or is at least the responsibility of) the JDBC-driver
when setting the parameter using setString(...)

Yes, I'm OK with that. But you have to check configuration and JDBC used
and at least test to ensure that is safe.

bcar

#15

On Wed, 13 Oct 2010 11:55:53 +0200, bcar wrote:

Quote:

Yes, I'm OK with that. But you have to check configuration and JDBC used
and at least test to ensure that is safe.

And this is how you check whether it's safe:
http://www.youtube.com/watch?v=FHbBWC7w_Gk

--
http://mgogala.byethost5.com

#16

On 13-10-2010 05:55, bcar wrote:

Quote:

Le 07/10/2010 13:54, Lothar Kimmeringer a écrit :
No, because the escaping of all relevant characters will take
place in (or is at least the responsibility of) the JDBC-driver
when setting the parameter using setString(...)

Yes, I'm OK with that. But you have to check configuration and JDBC used
and at least test to ensure that is safe.

It is required functionality for the driver to be JDBC compliant.

Arne

#17

On Wed, 13 Oct 2010 19:52:02 -0400, Arne VajhÃ¸j wrote:

Quote:

Yes, I'm OK with that. But you have to check configuration and JDBC
used and at least test to ensure that is safe.

It is required functionality for the driver to be JDBC compliant.

JDBC drivers usually are JDBC compliant. If they are not, they're called
something else, not "JDBC drivers".

--
http://mgogala.byethost5.com

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Understanding injection attacks

comp.databases.postgresql comp.databases.postgresql

Re: Understanding injection attacks - 10-06-2010 , 04:40 AM

Re: Understanding injection attacks - 10-06-2010 , 05:43 PM

Re: Understanding injection attacks - 10-07-2010 , 06:54 AM

Re: Understanding injection attacks - 10-13-2010 , 04:55 AM

Re: Understanding injection attacks - 10-13-2010 , 04:26 PM

Re: Understanding injection attacks - 10-13-2010 , 06:52 PM

Re: Understanding injection attacks - 10-14-2010 , 04:17 AM