[Mono-list] Re: magic quotes (like PHP) (or prevent SQL Injection)

Richard Norman normri@samc.com
Fri, 08 Apr 2005 13:00:48 -0700


--=__Part7E5D67E0.0__=
Content-Type: text/plain;
 charset=us-ascii
Content-Transfer-Encoding: quoted-printable

I am not sure if this is database specific, but to avoid SQL Injection attacks, what should be going on in all queries (but it is developer's choice today) is that you use parameters in the query.
=20
Either parameterized queries or stored procedures. We mostly use SQL server so I am not sure how other DBMS handle this, but in SQL server when you use parameters, the "special" characters are automatically escaped properly.
=20
If you are using a concat string, then you could be vulnerable to this attack. Microsoft has been talking about it a lot in their security talks recently.
=20
Something like the following (using C#) is better.
*******************************************
System.Data.SqlClient.SqlCommand test1;
test1 =3D new System.Data.SqlClient.SqlCommand("Select name from table where [ID]=3D@tempID");
test1.CommandType =3D System.Data.CommandType.Text;
System.Data.SqlClient.SqlParameter para1 =3D new System.Data.SqlClient.SqlParameter("@tempID", System.Data.SqlDbType.VarChar, 50);
test1.Parameters.Add(para1);
*******************************************

But that is what I recomend if the system supports it. And if not, Scrub the data REALLY well.. ;-)
=20
Richard Norman
Web & Application Developer
http://www.jazzynupe.net/Community/blog/
=20
Refs:
http://search.microsoft.com/search/results.aspx=3Fqu=3DSQL+Injection&View=3Dmsdn&st=3Db&c=3D0&s=3D1&swc=3D0
=20
http://toolbar.search.msn.com/results.aspx=3FFORM=3DDESKBR&q=3DSQL+Injection

>>> mono-list-request@lists.ximian.com 4/7/2005 6:22:12 PM >>>

Message: 1
=46rom: James Grant <topace@lightbox.org>
Organization: Lightbox Technologies Inc
To: mono-list@lists.ximian.com
Date: Thu, 7 Apr 2005 12:06:36 -0400
Subject: [Mono-list] magic quotes (like PHP)

Hi there,=20
I'm running into an issue with an application that has been ported over from=20
windows to linux/mono.  On windows, you could enter apostrophe's in input=20
boxes which are then stored in the database without any problems, but on mono=20
it seems that the apostrophe's all need to be manually escaped on every=20
query.

I know PHP has an option for "magic quotes"
    http://ca.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime

and was wondering if mono had a similar configuration option=3F =20

Thanks,
  James


--=20
James Grant
Lightbox Technologies Inc.
http://www.lightbox.org
613-294-3670



--------------------------------------------------------------
Confidentiality Note:  This e-mail is intended only for the person or entity to which it is addressed, and may contain information that is privileged, confidential, or otherwise protected from disclosure.  Dissemination, distribution, or copying of this e-mail or the information herein by anyone other than the intended recipient(s) is prohibited.  If you have received this e-mail in error, please notify the sender by reply e-mail and destroy the original message and all copies.

--------------------------------------------------------------

--=__Part7E5D67E0.0__=
Content-Type: text/html;
 charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML

<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>I am not sure if this is database specific, but to avoid SQL Injection attacks, what should be going on in all queries (but it is developer's choice today) is that you use parameters in the query.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Either parameterized queries or stored procedures. We mostly use SQL server so I am not sure how other DBMS handle this, but in SQL server when you use parameters, the "special" characters are automatically escaped properly.</DIV>
<DIV>&nbsp;</DIV>
<DIV>If you are using a concat string, then you could be vulnerable to this attack. Microsoft has been talking about it a lot in their security talks recently.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Something like the following (using C#) is better.</DIV>
<DIV>*******************************************</DIV>
<DIV>System.Data.SqlClient.SqlCommand test1;<BR>test1 =3D new System.Data.SqlClient.SqlCommand("Select name from table where [ID]=3D@tempID");<BR>test1.CommandType =3D System.Data.CommandType.Text;<BR>System.Data.SqlClient.SqlParameter para1 =3D new System.Data.SqlClient.SqlParameter("@tempID", System.Data.SqlDbType.VarChar, 50);<BR>test1.Parameters.Add(para1);</DIV>
<DIV>*******************************************<BR></DIV>
<DIV>But that is what I recomend if the system supports it. And if not, Scrub the data REALLY well.. ;-)</DIV>
<DIV>&nbsp;</DIV>
<DIV>Richard Norman</DIV>
<DIV>Web &amp; Application Developer</DIV>
<DIV><A href=3D"http://www.jazzynupe.net/Community/blog/">http://www.jazzynupe.net/Community/blog/</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>Refs:</DIV>
<DIV><A href=3D"http://search.microsoft.com/search/results.aspx=3Fqu=3DSQL+Injection&amp;View=3Dmsdn&amp;st=3Db&amp;c=3D0&amp;s=3D1&amp;swc=3D0">http://search.microsoft.com/search/results.aspx=3Fqu=3DSQL+Injection&amp;View=3Dmsdn&amp;st=3Db&amp;c=3D0&amp;s=3D1&amp;swc=3D0</A></DIV>
<DIV>&nbsp;</DIV>
<DIV><A href=3D"http://toolbar.search.msn.com/results.aspx=3FFORM=3DDESKBR&amp;q=3DSQL+Injection">http://toolbar.search.msn.com/results.aspx=3FFORM=3DDESKBR&amp;q=3DSQL+Injection</A></DIV>
<DIV><BR>&gt;&gt;&gt; mono-list-request@lists.ximian.com 4/7/2005 6:22:12 PM &gt;&gt;&gt;<BR></DIV>
<DIV style=3D"COLOR: #000000">Message: 1<BR>From: James Grant &lt;topace@lightbox.org&gt;<BR>Organization: Lightbox Technologies Inc<BR>To: mono-list@lists.ximian.com<BR>Date: Thu, 7 Apr 2005 12:06:36 -0400<BR>Subject: [Mono-list] magic quotes (like PHP)<BR><BR>Hi there, <BR>I'm running into an issue with an application that has been ported over from <BR>windows to linux/mono.&nbsp; On windows, you could enter apostrophe's in input <BR>boxes which are then stored in the database without any problems, but on mono <BR>it seems that the apostrophe's all need to be manually escaped on every <BR>query.<BR><BR>I know PHP has an option for "magic quotes"<BR>&nbsp;&nbsp;&nbsp; <A href=3D"http://ca.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime">http://ca.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime</A><BR><BR>and was wondering if mono had a similar configuration option=3F&nbsp; <BR><BR>Thanks,<BR>&nbsp; James<BR><BR><BR>-- <BR>James Grant<BR>Lightbox Technologies Inc.<BR><A href=3D"http://www.lightbox.org">http://www.lightbox.org</A><BR>613-294-3670<BR></DIV></BODY></HTML>

<P>--------------------------------------------------------------<br>
Confidentiality Note:  This e-mail is intended only for the person or entity to which it is addressed, and may contain information that is privileged, confidential, or otherwise protected from disclosure.  Dissemination, distribution, or copying of this e-mail or the information herein by anyone other than the intended recipient(s) is prohibited.  If you have received this e-mail in error, please notify the sender by reply e-mail and destroy the original message and all copies.<br>
<br>
--------------------------------------------------------------<br>
</P>
--=__Part7E5D67E0.0__=--