Problem is, it's a differnet problem when using ODBC stuff and when doing
say a standard connection to a mysql server. I don't see anything vulnerable
(this by no means that it's not) with a % (or any other mysql regexp),
because you need to explicitly call that regular expression with a LIKE
statement in order for it to do anything.
LIKE "%%h%%" may not do anything. (haven't tried) The quotes in mysql are
the real dangers, IMO, because if you are forming the string raw (BAD!) then
they can start manipulating things with the quotes. The semicolon isn't
necessary as it's not a special character inside of a string.
Please let me know if I'm wrong.
--JB
----- Original Message -----
From: "Peter Gutmann" <pgut001at_private>
To: <vuln-devat_private>
Sent: Saturday, December 29, 2001 10:19 PM
Subject: Re: malformed sql queries
> "JayBonci" <jayat_private> writes:
>
> >Wrap all your functions and do a $id =~ s/\'/\\\'/g; On your stuff.
>
> That isn't really enough though. At the moment I automatically escape
''',
> '\', '%', and ';', and also '|' under Windows (wonderful option that last
one,
> try '|shell("cmd /c echo " & chr(124) & " format c:")|' on an ODBC data
> source). Are there any more which need to be caught?
>
> Peter.
>
This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 20:09:33 PST