[Esapi-user] SQL Codecs

Jim Manico jim.manico at owasp.org
Mon Aug 2 14:13:35 EDT 2010


Yes, this is all (I think) you need to encode if user data is placed in a quoted where-clause context. There are a limited number of 'slots' in a dynamic SQL statement that user data can go safely. Check out Dave Wichers SQL cheatsheet for more information: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

- Jim

On Aug 2, 2010, at 5:20 AM, Joel Fessler <jfessler at denimgroup.com> wrote:

> I am working on implementing codecs to encode for MsSQL, DB2 and Sybase. The only character that I have found that I need to encode for is a single quote. Does anyone know of anything else that I need to encode for or where I can find this out?
> 
>  
> 
> Joel Fessler
> 
>  
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100802/a9a7655d/attachment.html 


More information about the Esapi-user mailing list