Protecting against SQL injection

T

Tor Erik Soenvisen

Hi,

How safe is the following code against SQL injection:

# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)

pw is the supplied password abd uname is the supplied password.

regards
 
P

Paul Rubin

Tor Erik Soenvisen said:
# Protect against SQL injection by escaping quotes
Click to expand...

Don't ever do that, safe or not. Use query parameters instead.
That's what they're for.
 
B

Ben Finney

Paul Rubin said:
Don't ever do that, safe or not. Use query parameters instead.
That's what they're for.
Click to expand...

More specifically: They've been debugged for just these kinds of
purposes, and every time you code an ad-hoc escaping-and-formatting
SQL query, you're inviting all the bugs that have been found and
removed before.
 
F

Fredrik Lundh

Ben said:
More specifically: They've been debugged for just these kinds of
purposes
Click to expand...

in a well-designed database, the SQL parser never sees the parameter values,
so *injection* attacks are simply not possible.

</F>
 
S

Steve Holden

Tor said:
Hi,

How safe is the following code against SQL injection:

# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)

pw is the supplied password abd uname is the supplied password.
Click to expand...
Slightly safer than not doing anything to the user-supplied inputs, but
nowehere near as safe as it needs to be. Use parameterized queries!

regards
Steve
 
A

Aahz

How safe is the following code against SQL injection:

# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
Click to expand...

Do yourself a favor at least and switch to using double-quotes for the
string. I also recommend switching to triple-quotes to avoid the
backslash continuation.
 
C

Christoph Zwerschke

Tor said:
How safe is the following code against SQL injection:

# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
Click to expand...

This is definitely *not* safe.

For instance, set uname = r"\' or 1=1 --"

You must replace the backslash with a double backslash as well.
But as already suggested, you should better use query parameters.

-- Christoph
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SQL Injection 4
sql injection 5
SQL Injection Prevention Quickfix.. will it work 16
SQL error 1
email validation: just enough to prevent sql injection 7
Unreported exception java.sql.SQLException 3
SQL Injection and preventing querystring abuse 7
Authentication against active directory 1

Members online

Total: 28 (members: 1, guests: 27)
Robots: 354

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,014
Latest member
BiancaFix3

Latest Threads

Top