I would still like to look at any such situation in detail to ensure that TeraScript is behaving properly and doing enough.
Essentially what happens now is that single quotes are doubled. This occurs on all database Actions except Custom SQL (aka Direct DBMS). In that case, starting in TS 6.1 there is a checkbox to automatically provide the encoding (this restores the way it was several versions ago). Additionally you can also force the encoding to occur at any time by using the encoding=sql attribute on most tags. My concern is that depending on the DBMS, the doubling of single quotes may not be enough. Granted I have a hard time finding or thinking of an SQL injection which doesn’t rely on the presence of a single-quote, still it might be possible. In looking at the mysql_escape_string function it seems that some additional characters are escaped, such as \, null, CR, LF, and double quote. Because TeraScript should be passing all information to the DBMS through ODBC, all of those characters should need to be quoted, thus making them safe as long as single quotes are doubled. So I guess my point is simply that Witango/TeraScript should be doing 99.9% percent of work automatically, and I’d like to carefully look at each of the remaining .1% of cases to make sure TS shouldn’t be doing more. I believe that some of the cases where these issues might arise is in Custom SQL, or if a programmer is using variables or user input to form other parts of the SQL statement, such as custom column names. Robert From: Dale Graham [mailto:[email protected]] Sent: Sunday, August 21, 2011 7:21 PM To: [email protected] Subject: Re: Witango-Talk: Witango / TeraScript MySQL escape meta tag Correct me if I am wrong, but it was my impression that any direct actions (insert actions, update actions) were safe from SQL injection if you used Witango/Terascript server, but that if you choose to use a direct DBMS statement, these ARE vulnerable to SQL injection. ___________________ Sent from my iPad 2 8) On Aug 21, 2011, at 7:03 PM, "Fogelson, Steve" <[email protected]> wrote: Please share what you come up with. I am always interested in anything to do with PCI compliance. Steve Fogelson _____ From: Robert Shubert [mailto:[email protected]] Sent: Sunday, August 21, 2011 1:29 PM To: [email protected] Subject: RE: Witango-Talk: Witango / TeraScript MySQL escape meta tag Steve, I’d like to look at your specific situation in more detail. Escaping of values in SQL statements should be automatically handled by TeraScript Server. Robert From: Steve Briggs [mailto:[email protected]] Sent: Sunday, August 21, 2011 11:30 AM To: [email protected] Subject: Witango-Talk: Witango / TeraScript MySQL escape meta tag I need to convert a bunch of old TAF's for PCI compliance and I'm looking for the easiest way to escape insert and update statements to avoid SQL injections. Does anyone have a custom meta tag similar to PHP's mysql_escape_string? i.e. <@MYSQLESCAPE <@POSTARG first_name>> Or any other suggestions as to the best way to go about this? Thanks! -- Steve ************************************************** Steve Briggs Wow Pages Portland, Maine Longmont, Colorado 207-761-2450 888-325-5907 [email protected] ************************************************** _____ To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. _____ To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. _____ To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. _____ To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body.
