Protecting against SQL injection

Discussion in 'Python' started by Tor Erik Soenvisen, Oct 24, 2006.

  1. Hi,

    How safe is the following code against SQL injection:

    # Get user privilege
    digest = sha.new(pw).hexdigest()
    # Protect against SQL injection by escaping quotes
    uname = uname.replace("'", "''")
    sql = 'SELECT privilege FROM staff WHERE ' + \
    'username=\'%s\' AND password=\'%s\'' % (uname, digest)
    res = self.oraDB.query(sql)

    pw is the supplied password abd uname is the supplied password.

    regards
     
    Tor Erik Soenvisen, Oct 24, 2006
    #1
    1. Advertising

  2. Tor Erik Soenvisen

    Paul Rubin Guest

    Tor Erik Soenvisen <> writes:
    > # Protect against SQL injection by escaping quotes


    Don't ever do that, safe or not. Use query parameters instead.
    That's what they're for.
     
    Paul Rubin, Oct 24, 2006
    #2
    1. Advertising

  3. Tor Erik Soenvisen

    Ben Finney Guest

    Paul Rubin <"http://phr.cx"@NOSPAM.invalid> writes:

    > Tor Erik Soenvisen <> writes:
    > > # Protect against SQL injection by escaping quotes

    >
    > Don't ever do that, safe or not. Use query parameters instead.
    > That's what they're for.


    More specifically: They've been debugged for just these kinds of
    purposes, and every time you code an ad-hoc escaping-and-formatting
    SQL query, you're inviting all the bugs that have been found and
    removed before.

    --
    \ "Welchen Teil von 'Gestalt' verstehen Sie nicht? [What part of |
    `\ 'gestalt' don't you understand?]" -- Karsten M. Self |
    _o__) |
    Ben Finney
     
    Ben Finney, Oct 24, 2006
    #3
  4. Ben Finney wrote:

    > More specifically: They've been debugged for just these kinds of
    > purposes


    in a well-designed database, the SQL parser never sees the parameter values,
    so *injection* attacks are simply not possible.

    </F>
     
    Fredrik Lundh, Oct 24, 2006
    #4
  5. Tor Erik Soenvisen

    Steve Holden Guest

    Tor Erik Soenvisen wrote:
    > Hi,
    >
    > How safe is the following code against SQL injection:
    >
    > # Get user privilege
    > digest = sha.new(pw).hexdigest()
    > # Protect against SQL injection by escaping quotes
    > uname = uname.replace("'", "''")
    > sql = 'SELECT privilege FROM staff WHERE ' + \
    > 'username=\'%s\' AND password=\'%s\'' % (uname, digest)
    > res = self.oraDB.query(sql)
    >
    > pw is the supplied password abd uname is the supplied password.
    >

    Slightly safer than not doing anything to the user-supplied inputs, but
    nowehere near as safe as it needs to be. Use parameterized queries!

    regards
    Steve
    --
    Steve Holden +44 150 684 7255 +1 800 494 3119
    Holden Web LLC/Ltd http://www.holdenweb.com
    Skype: holdenweb http://holdenweb.blogspot.com
    Recent Ramblings http://del.icio.us/steve.holden
     
    Steve Holden, Oct 24, 2006
    #5
  6. Tor Erik Soenvisen

    Aahz Guest

    In article <Xns986662F736DD5toreriknpolarno@129.242.5.222>,
    Tor Erik Soenvisen <> wrote:
    >
    >How safe is the following code against SQL injection:
    >
    > # Get user privilege
    > digest = sha.new(pw).hexdigest()
    > # Protect against SQL injection by escaping quotes
    > uname = uname.replace("'", "''")
    > sql = 'SELECT privilege FROM staff WHERE ' + \
    > 'username=\'%s\' AND password=\'%s\'' % (uname, digest)
    > res = self.oraDB.query(sql)


    Do yourself a favor at least and switch to using double-quotes for the
    string. I also recommend switching to triple-quotes to avoid the
    backslash continuation.
    --
    Aahz () <*> http://www.pythoncraft.com/

    "If you don't know what your program is supposed to do, you'd better not
    start writing it." --Dijkstra
     
    Aahz, Oct 24, 2006
    #6
  7. Tor Erik Soenvisen wrote:
    > How safe is the following code against SQL injection:
    >
    > # Get user privilege
    > digest = sha.new(pw).hexdigest()
    > # Protect against SQL injection by escaping quotes
    > uname = uname.replace("'", "''")
    > sql = 'SELECT privilege FROM staff WHERE ' + \
    > 'username=\'%s\' AND password=\'%s\'' % (uname, digest)
    > res = self.oraDB.query(sql)


    This is definitely *not* safe.

    For instance, set uname = r"\' or 1=1 --"

    You must replace the backslash with a double backslash as well.
    But as already suggested, you should better use query parameters.

    -- Christoph
     
    Christoph Zwerschke, Nov 22, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. poppy

    SQL Injection Attacks

    poppy, Nov 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    419
    Scott Allen
    Nov 3, 2004
  2. Darrel
    Replies:
    9
    Views:
    3,648
    Steve C. Orr [MVP, MCSD]
    Nov 11, 2004
  3. Pierre Phaneuf
    Replies:
    1
    Views:
    363
    Leor Zolman
    Apr 4, 2004
  4. Esben von Buchwald

    Protecting against callbacks queuing up?

    Esben von Buchwald, Aug 24, 2009, in forum: Python
    Replies:
    23
    Views:
    796
    Dennis Lee Bieber
    Aug 29, 2009
  5. Griff

    Defending against SQL injection....

    Griff, Jul 7, 2005, in forum: ASP General
    Replies:
    4
    Views:
    156
    mark | r
    Jul 7, 2005
Loading...

Share This Page