Checkmarx is a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing

SQL Sanitization

This is really funny!
I attended a presentation the other day. The presenter said that in order to avoid SQL Injection for string parameters, it is possible to double quotes.

For example:
string fix(string s)
return s.replace(”‘”, “””); // ‘ -> ‘ ‘

Let’s assume that’s fine.
Now he showed how to use it:

name = GetUserName();
pass = GetUserPass();
sSql = “SELECT count(*) FROM t_users WHERE name=’” + name + “‘ and pass = ‘” + pass “‘”;
sSql = fix(sSql);

And now the question for you – does fix work well? does the way of using “fix” is fine or is it hackable? how?

C’ya next time,

Jump to Category