[Esapi-user] SQL Codecs

August Detlefsen augustd at codemagi.com
Mon Aug 2 16:09:16 EDT 2010


I've seen cases where other parts of a SQL query were generated 
dynamically: table and column names, and especially the ORDER BY clause. 
Though, these types of options should be selected from a whitelist and 
the SQL hidden from the end-user.

-August


On 8/2/10 12:59 PM, Jeff Williams wrote:
>
> Currently, our encoding model for SQL only supports this quoted 
> where-clause context.  Do we need a more sophisticated model to 
> support user-data in **other** contexts within a SQL query?
>
> --Jeff
>
> *From:* esapi-user-bounces at lists.owasp.org 
> [mailto:esapi-user-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
> *Sent:* Monday, August 02, 2010 2:14 PM
> *To:* Joel Fessler
> *Cc:* esapi-user at lists.owasp.org
> *Subject:* Re: [Esapi-user] SQL Codecs
>
> Yes, this is all (I think) you need to encode if user data is placed 
> in a quoted where-clause context. There are a limited number of 
> 'slots' in a dynamic SQL statement that user data can go safely. Check 
> out Dave Wichers SQL cheatsheet for more information: 
> http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
>
>
> - Jim
>
>
> On Aug 2, 2010, at 5:20 AM, Joel Fessler <jfessler at denimgroup.com 
> <mailto:jfessler at denimgroup.com>> wrote:
>
>     I am working on implementing codecs to encode for MsSQL, DB2 and
>     Sybase. The only character that I have found that I need to encode
>     for is a single quote. Does anyone know of anything else that I
>     need to encode for or where I can find this out?
>
>     Joel Fessler
>
>     _______________________________________________
>     Esapi-user mailing list
>     Esapi-user at lists.owasp.org <mailto:Esapi-user at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>    

-- 
August Detlefsen
CEO/Web Application Architect
CodeMagi, Inc.
http://www.codemagi.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100802/53011f9e/attachment.html 


More information about the Esapi-user mailing list