Hello! On Wed, 2 Oct 2002, Alan DeKok wrote:
> Yury Bokhoncovich <[EMAIL PROTECTED]> wrote: > > Hm...there are few risky chars in SQL, namely \0 and apostrophe. > > http://www.striker.ottawa.on.ca/~aland/SQLInjectionWhitePaper.pdf > > I forgot where I found it originally. Definitely, at SPI.:) Alan, this issue is well shown in MySQL Manual on the appropriate section, nothing new, just common sense: "trust no user". But this should not lead that all chars except a few become weird, right?:-) > > Are you *sure* that for *all* SQL variants, the only magic > characters are \0 and ' ? I'm not willing to say that. I'm sure that SQL escaping is needed for varchar types. (timestamp is just a kind of). Numeric should be considered as such anyway (i.e. only -+digits.digits format) so it is enough to look up all \0 and ', then convert \0 to 0x30 or '\0' or just drop as a garbage, and convert apostrophe to double one (i.e.''). In the end the string must have two apostrophes added: one at the beginning, another at the end. The way was proven to work under Postgres and Sybase, I gonna check this with Oracle, MSSQL and MySQL. In other words, other checks are unnecessary. I guess the problem is: can we distinguish type of the supplied to sql_xlat parameter? If so, slq_xlat should be divided to two different subroutines. > And it's the duty of hackers to supply any kind of weird characters > to try to hack your SQL database. That's not duty, that's fun. > src/modules/rlm_sql/rlm_sql.c, sql_xlat() Ah, that long string? Catch this.:) > > It has an explicit inclusion list. Any other characters get > escaped. While I'm willing to add more characters to the white list, > I'd rather be safe than sorry. As I said above, this is right assumption having with wrong implementaion. > > Id' also like to be somewhat safe against admins editing their SQL > queries, and allowing hackers into their systems. If that happens, > they'll blame FreeRADIUS, NOT their own mistakes. I'd rather see a Agreed. > few characters mangled in the logs, than someone's system being > hacked. Not agreed. Mangle for a most chars is unnecessary here. -- WBR, Yury Bokhoncovich, Senior System Administrator, NOC of F1 Group. Phone: +7 (3832) 106228, ext.140, E-mail: [EMAIL PROTECTED] Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html