[Esapi-user] SQL Codecs
jeff.williams at aspectsecurity.com
Mon Aug 2 15:59:39 EDT 2010
Currently, our encoding model for SQL only supports this quoted where-clause context. Do we need a more sophisticated model to support user-data in *other* contexts within a SQL query?
From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Monday, August 02, 2010 2:14 PM
To: Joel Fessler
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] SQL Codecs
Yes, this is all (I think) you need to encode if user data is placed in a quoted where-clause context. There are a limited number of 'slots' in a dynamic SQL statement that user data can go safely. Check out Dave Wichers SQL cheatsheet for more information: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
On Aug 2, 2010, at 5:20 AM, Joel Fessler <jfessler at denimgroup.com> wrote:
I am working on implementing codecs to encode for MsSQL, DB2 and Sybase. The only character that I have found that I need to encode for is a single quote. Does anyone know of anything else that I need to encode for or where I can find this out?
Esapi-user mailing list
Esapi-user at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user