Hi, Sorry for this post if I'm wrong, but what I've allways done to prevent nasty problems like this is to use prepared statements. I come from a world of DB2, and thing may differ a bit on other systems. If I use a prepared statement, I place question marks where ever the data from my appliation should go, ie: UPDATE users SET password=? WHERE username=? Doing this totaly circumvents problems like the one described, since the data is sent to the database driver as a seperate string from the query. Using '=' allso stops folks from using wildcards like '%' in the username to change all the passwords, since wildcard need the LIKE directive in stead of '='. Another thing is that this method does type conversions for you. I know that you still need to 'wash' the input to eliminate dangeorus HTML and JavaScript content, but the risk to your database is greatly reduced. I allso know that using prepared statements might not be applicable in all software (php?, mysql?). If that is the case, then I would recomend switching to systems that have this feature. Another thing to consider is that there is some compilation time involved in the preparing of statements, but so is it in compilation of 'one-shot' statements. I'm not aware of the difference so I don't know which is faster. Using the same prepared statement over and over is faster than multiple 'one-shot' statements though. Hope this helps, Thorhallur Sverrisson, thorhsat_private On Sat, Sep 08, 2001 at 04:28:34PM +0200, Sverre H. Huseby wrote: > [Kevin Spett] > > | I would like to know if there are other ways of doing this. > > You could look for a place where your input is stored in a databse > without validation, and insert a sub-select that picks up the > information you want. > > Example: I was working my way through a system yesterday. In this > system I could register new users. On the user preferences page, I > could change my E-mail address. Fortunately, the programmers had > forgotten to "wash" the input, so I was able to enter the following as > my E-mail address: > > ' + (SELECT password FROM users WHERE username='foobar') + ' > > The + signs are used for string concatenation in MS SQL Server. After > entering this text, my E-mail field was updated to contain the > password of the user foobar. (Long live clear text passwords! :) ) > > My input probably resultet in an SQL query that looks like this: > > UPDATE users > SET email='' + (SELECT password FROM users WHERE username='foobar') + '' > ------------------------------------------------------------ > WHERE username='sverre' > > The underlined text is the "E-mail address" provided by me. > > Hope this helps a litte bit. > > > Sverre. > > -- > shhat_private Try my Nerd Quiz at > http://shh.thathost.com/ http://nerdquiz.thathost.com/ > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 12:28:12 PDT