|
-
May 9th, 2007, 11:48 AM
#1
Thread Starter
Fanatic Member
Prone To Injection Attack?
Recently, BrailleSchool posted this code
strSQL = "SELECT Un, Pw " & _
"FROM Auth " & _
"WHERE Un = '" & txtUsername.Text & "' " & _
"AND Pw = '" & txtPassword.Text & "'"
To which ShaggyHiker responded
That leaves your SQL open to a slightly obscure harrassing attack called something like an Insertion attack.
I understand what an Insertion Attack is, and it would appear that we are prone to them where I work, except for one thing; we use .Replace("'", "''") whenever (most of the time anyway) we insert user inputed text into a SQL statement. Like this:
strSQL = "SELECT Un, Pw " & _
"FROM Auth " & _
"WHERE Un = '" & txtUsername.Text.Replace("'", "''") & "' " & _
"AND Pw = '" & txtPassword.Text.Replace("'", "''") & "'"
So, my question is, can anyone demonstrate how they could still do an insertion attack with those .Replaces in there? I know creating and adding parameters is the safest way, but are we safe (enough) using our method?
Last edited by 18experience; May 9th, 2007 at 12:30 PM.
VB.Net 2008
.Net Framework 2.0
"Must you breathe? 'Cause I need heaven..."
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|