| Sunday May 29th 2016

SQL injection countermeasure failures

Cute article about sanitizing form input…

…found this next snippet in the authentication code for the project he’d been assigned to.

// The following string is an SQL comment, and could
// blank out the check for password in our SQL statement
// if used in the username!
if (username.indexOf("';--")!=-1) {
    throw new AuthorisationException(username
      +" given as login name contains ';--, this is bad for SQL!");

// Get the (hopefully single) id of the player with
// this name and password
ResultSet authorised = statement.executeQuery(
    "SELECT id FROM table_name_redacted WHERE "
    + "username='"+username
    +"' AND password='"+password+"';");

It’s a bit better, but doesn’t quite fool the hacker who uses the “‘; –” attack instead of “‘;–“.

Read more…

Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.