Checkmarx Acquires Custodela to Bring Enhanced Automation to DevSecOps Programs!

SQL Sanitization

This is really funny!
I attended a presentation the other day. The presenter said that in order to avoid SQL Injection for string parameters, it is possible to double quotes.


For example:
string fix(string s)
{
return s.replace(”‘”, “””); // ‘ -> ‘ ‘
}

Let’s assume that’s fine.
Now he showed how to use it:

name = GetUserName();
pass = GetUserPass();
sSql = “SELECT count(*) FROM t_users WHERE name=’” + name + “‘ and pass = ‘” + pass “‘”;
sSql = fix(sSql);
execute(sSql);

And now the question for you – does fix work well? does the way of using “fix” is fine or is it hackable? how?

C’ya next time,
Maty

Jump to Category