This is really funny!
I attended a presentation the other day. The presenter said that in order to avoid SQL Injection for string parameters, it is possible to double quotes.
string fix(string s)
return s.replace(”‘”, “””); // ‘ -> ‘ ‘
Let’s assume that’s fine.
Now he showed how to use it:
name = GetUserName();
pass = GetUserPass();
sSql = “SELECT count(*) FROM t_users WHERE name=’” + name + “‘ and pass = ‘” + pass “‘”;
sSql = fix(sSql);
And now the question for you – does fix work well? does the way of using “fix” is fine or is it hackable? how?
C’ya next time,
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.