Re: SQL Injection

From: "Jacob" <nospam@xxxxxxxxxxxxx>
Date: Thu, 15 Dec 2005 21:09:12 -0800

Make sure you always escape single quotes and other magic characters when
you enter data into your database. Always assume every field you get from
the user (form, url, or cookie based) has malicious data in it.

For example, say you had a form were users could update their email address
and you used the result from that to update the database with:

SQL.Text := format('update usertable set usr_email = '%s' where usr_id =
%d', [emailfield, idfield]);

Now if you didn't remove escape chars from the input, a user could possibly
set their email address to:
"GO delete * FROM systables'

Resulting in you running the query:

update usertable set usr_email = '' GO delete * from systables'

(notice the double single quote before the GO)

"VT Venkatesh" <venks@xxxxxxxx> wrote in message
news:43a228b0@xxxxxxxxxxxxxxxxxxxxxxxxx
> Can some one throw light on how to prevent SQL injection with Delphi
> 2005/2006
> Venkatesh

.

Follow-Ups:
- Re: SQL Injection
  - From: TObject

References:
- SQL Injection
  - From: VT Venkatesh

Prev by Date: Re: Got it: D2006 Pro - German
Next by Date: Re: SQL Injection
Previous by thread: Re: SQL Injection
Next by thread: Re: SQL Injection
Index(es):
- Date
- Thread

Relevant Pages

Possible "bug" found in gnatcoll-sql_impl.adb
... I end up with more characters than I've bargained for. ... I end up with Peter in the database. ... extra single quotes added to all my string data. ...
(comp.lang.ada)
Re: Syntax error (missing operator) in query expression
... > and how to use single quotes and double quotes in ASP? ... expression to "scrub" the search term prior to constructing the SQL ... query depending on your database environment) instead of dynamically ... constructing the SQL statement. ...
(microsoft.public.inetserver.asp.general)
Re: What Did I Miss Here?
... Is the Use Quoted Identifiers option checked in your database property sheet ... under the Options tab? ... > In the database it is being stored as two single quotes. ...
(microsoft.public.dotnet.framework.adonet)
Re: Need a Strategy to store the Single Quotes in the Database
... >> Database where if i try to Store the String value with Single Quotes ... >> then it is throwing the error as SQL String Truncated. ...
(microsoft.public.dotnet.languages.vb)
Re: weird backsplash behaviour inside single quotes
... The understandable exception are single quotes. ... However, in Ruby ... double backslash also produces a single backslash. ... \ is escaped because it is used to escape single quotes. ...
(comp.lang.ruby)