SQL Sanitization

This is really funny!
I attended a presentation the other day. The presenter said that in order to avoid SQL Injection for string parameters, it is possible to double quotes.


For example:
string fix(string s)
{
return s.replace(”‘”, “””); // ‘ -> ‘ ‘
}

Let’s assume that’s fine.
Now he showed how to use it:

name = GetUserName();
pass = GetUserPass();
sSql = “SELECT count(*) FROM t_users WHERE name=’” + name + “‘ and pass = ‘” + pass “‘”;
sSql = fix(sSql);
execute(sSql);

And now the question for you – does fix work well? does the way of using “fix” is fine or is it hackable? how?

C’ya next time,
Maty

The following two tabs change content below.

Checkmarx

Latest posts by Checkmarx (see all)

Jump to Category