[Esapi-user] SQL Codecs

Jeff Williams jeff.williams at aspectsecurity.com
Mon Aug 2 15:59:39 EDT 2010

Currently, our encoding model for SQL only supports this quoted where-clause context.  Do we need a more sophisticated model to support user-data in *other* contexts within a SQL query?




From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Monday, August 02, 2010 2:14 PM
To: Joel Fessler
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] SQL Codecs


Yes, this is all (I think) you need to encode if user data is placed in a quoted where-clause context. There are a limited number of 'slots' in a dynamic SQL statement that user data can go safely. Check out Dave Wichers SQL cheatsheet for more information: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

- Jim

On Aug 2, 2010, at 5:20 AM, Joel Fessler <jfessler at denimgroup.com> wrote:

	I am working on implementing codecs to encode for MsSQL, DB2 and Sybase. The only character that I have found that I need to encode for is a single quote. Does anyone know of anything else that I need to encode for or where I can find this out?


	Joel Fessler


	Esapi-user mailing list
	Esapi-user at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100802/18d00055/attachment.html 

More information about the Esapi-user mailing list