The Daily WTF: Curious Perversions in Information Technology

2008-05-25 Reply Admin

mmmmmmmmm. malicious code in the query string.

Erzengel · 2008-05-25 Reply Admin

Jay:
Ricky:
how about using PREPAREd statements? too demodé?

Prepared statements are fine if the structure of the query is fixed and the only thing that can change is the values. Yes, the example I gave was a simple one like that where a prepared statement would solve the problem. If I'd anticipated that objection I would have used a different example. Like:

Haven't you ever had a case where you wanted to build a SQL statement with many possible contructions? I routinely write code where the user can specify one or more of many constraints on some sort of "find records meeting condition" screen, so after collecting all the parameters I write something like:
StringBuilder sql=new StringBuilder();
sql.append("select ... whatever ... from customer_order");
sql.append(" where division=").append(Db.q(division));
if (account!=null)
  sql.append(" and account=").append(Db.q(account));
if (fromDate!=null)
  sql.append(" and from_date>=").append(Db.q(fromDate));
if (thruDate!=null)
  sql.append(" and thru_date<=").append(Db.q(thruDate));
if (deliveryMethod.equals("U"))
  sql.append(" and (delivery=true or status='H')");
... etc ...

OK:

SqlCommand sqlActual = new SqlCommand();
sqlActual.Command = "SELECT whatever FROM customer_order";
sqlActual.Command += " WHERE division = @Division";
sqlActual.Parameters.Add(new SqlParameter("Division", division));
if(acount != null)
{
    sqlActual.Command += " AND account=@Account";
    sqlActual.Parameters.Add(new SqlParameter("Account", account);
}
if(fromDate != null)
{
    sqlActual.Command += " AND from_date>=@FromDate";
    sqlActual.Parameters.Add(new SqlParameter("FromDate", fromDate);
}
/*etc*/

There you go. (written for SqlServer using C# or ASP.NET, but I'm sure you can figure out something similar elsewhere.)

And I'm not even paid to write SQL or any other programs, yet I know the above and have verified that it works. Gads I need a programming job...

2008-05-26 Reply Admin

'); DELETE FROM Articles; --

2008-05-26 Reply Admin

Anonymous:
Forgetting semicolons much?
'); DELETE FROM Articles --

Oracle needs them SQL Server doesn't

2008-05-26 Reply Admin

NaN:
ClaudeSuck.de:
"select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_"
I wonder how this can help. Or, what would happen to the following post?

"For last year'selection I created a new slogan which altered the way we look at things. Many people inserted and dropped their votes in the containers. Before we can delete them we have to update the results..."

It wouldn't for all of them, the %20 is a space, the ones you did not include a space afterwards (all the ones you put inside of words, selection, created...) would not show up. Delete and Update WOULD have shown up, but you made them BOLD, so, your post would NOT have triggered it, despite all the SQL Keywords you used.
Trippy.

mea culpa, mea maxima culpa.

I was a bit too fast, indeed. But it still wouldn't allow a sentence like "Did God create the universe?"

2008-05-26 Reply Admin

"We goan' drop the bomb on the concert next week with this whoopin' tune I got."

This message has been blocked as a suspect SQL injection attempt.

Captcha: minim

2008-05-28 Reply Admin

It will not protect you from "delete/%20/%20from%20tbl_tablename"

because you are detecting "delete%20"

2008-05-28 Reply Admin

Poor Valter Borges...

2008-05-28 Reply Admin

Would you prefer it if we INSERTed LOLCats?

2008-06-03 Reply Admin

It's important to pay attention to these detials.

nerdler · 2008-06-08 Reply Admin

') DELETE FROM Articles --

<.<

Did it work?

2008-07-25 Reply Admin

hack this http://hub.iibn.info pleaseeeeeee

Some one is trying to Hack the Site

Leave a comment on “Some one is trying to Hack the Site”