I have this regular expressions to find syntax errors off of webpages (I'm a pentester for a living):
SQL_REGEX = %r((?-mix:SQL query error)|(?-mix:MySQL Query Error)|(?-mix:expects parameter)|(?-mix:You have an error in your SQL syntax))
I would like a regex that will find the error messages on a website if they have incorrectly closed SQL syntax, the one above works, but it seems to me that it's a little slower then it could be, any suggestions on how to make a better more reliable regex?
I recently discovered that GET is a reserved word in SQLDeveloper,but I can't figure out what it's for. Tried oracle help center's list of reserved words but there's no mention of it.
In short: What is the use of GET in PLSQL?
It doesn't mean anything in PL/SQL, unless you have an object with that name. Or in SQL.
It's a SQL*Plus command:
GET [FILE] file_name[.ext] [LIST | NOLIST]
Loads an operating system file into the SQL buffer.
You can get a file into the buffer and edit it there before executing it, rather than just running it directly with start or #.
SQL Developer implements, or at least recognises or allows, most SQL*Plus statements, presumably for compatibility reasons (though some things don't work, such as set embed on).
It seems to silently ignore get.
It's in the documentation's keyword list, rather than the reserved words list. You can use it as an object name etc.; they recommend you don't, but as this is a client keyword rather than a SQL one it wouldn't be as noticeable. At least, if SQL Developer didn't highlight it as a keyword...
I'm doing an audit of a system, which the developers insist is SQL injection proof. This they achieve by stripping out the single-quotes in the login form - but the code behind is not parameterized; it's still using literal SQL like so:
username = username.Replace("'", "");
var sql = "select * from user where username = '" + username + "'";
Is this really secure? Is there another way of inserting a single quote, perhaps by using an escape character? The DB in use is Oracle 10g.
Maybe you can also fail them because not using bind variables will have a very negative impact on performance.
A few tips:
1- It is not necessarily the ' character that can be used as a quote. Try this:
select q'#Oracle's quote operator#' from dual;
2- Another tip from "Innocent Code" book says: Don't massage invalid input to make it valid (by escaping or removing). Read the relevant section of the book for some very interesting examples. Summary of rules are here.
Have a look at the testing guide here: http://www.owasp.org/index.php/Main_Page That should give you more devious test scenarios, perhaps enough to prompt a reassessment of the SQL coding strategy :-)
No, it is not secure. SQL injection doesn't require a single-quote character to succeed. You can use AND, OR, JOIN, etc to make it happen. For example, suppose a web application having a URL like this: http://www.example.com/news.php?id=100.
You can do many things if the ID parameter is not properly validated. For example, if its type is not checked, you could simply use this: ?id=100 AND INSERT INTO NEWS (id, ...) VALUES (...). The same is valid for JOIN, etc. I won't teach how to explore it because not all readers have good intentions like you appear to have. So, for those planning to use a simple REPLACE, be aware that this WILL NOT prevent an attack.
So, no one can have a name like O'Brian in their system?
The single quote check won't help if the parameter is numeric - then 1; DROP TABLE user;-- would cause some trouble =)
I wonder how they handle dates...
If the mechanism for executing queries got smart like PHP, and limited queries to only ever run one query, then there shouldn't be an issue with injection attacks...
What is the client language ? That is, we'd have to be sure exactly what datatype of username is and what the Replace method does in regard to that datatype. Also how the actual concatenation works for that datatype. There may be some character set translation that would translate some quote-like character in UTF-8 to a "regular" quote.
For the very simple example you show it should just work, but the performance will be awful (as per Thilo's comment). You'd need to look at the options for cursor_sharing
For this SQL
select * from user where username = '[blah]'
As long as [blah] didn't include a single quote, it should be interpreted as single CHAR value. If the string was more than 4000 bytes, it would raise an error and I'd be interested to see how that was handled. Similarly an empty string or one consisting solely of single quotes. Control characters (end-of-file, for example) might also give it some issues but that might depend on whether they can be entered at the front-end.
For a username, it would be legitimate to limit the characterset to alphanumerics, and possibly a limited set of punctuation (dot and underscore perhaps). So if you did take a character filtering approach, I'd prefer to see a whitelist of acceptable characters rather than blacklisting single quotes, control characters etc.
In summary, as a general approach it is poor security, and negatively impacts performance. In particular cases, it might (probably?) won't expose any vulnerabilities. But you'd want to do a LOT of testing to be sure it doesn't.
I am writing a simple script to update a table data.
I am unable to get a record trough a field named "Agliè"; the problem is "è".
c = Comune.find_by_denominazione_italiano_tedesco('Agliè')
I realised that the problem can be patched using "Aglie", but I need to preserve the accent difference (these are town names, some are the same, except of the accent).
My db character set is UTF-8, the collation is latin1_swedish_ci; however, changing it to utf8_general_ci makes no difference. My ruby script is in utf-8; I tried changing it to latin1 as well, no difference again.
Any suggestion?
Cheers,
Davide
Looks like it was a file encoding problem after all, grr.
Thanks anyway folks.
I am encountering an interesting issue with an application that was migrated from Oracle 9i to 10g.
Previously, we had a problem when a field contained double quotes since Oracle recordsets encapsulated fields in double quotes.
Example:
"field1"||"field2"||"field "Y" 3"||"field4"
Since the move to 10g, I believe that the Oracle client-side driver is parsing the double quotes and replacing them with "
Unfortunately I don't have an old 9i environment to test my theory.
Have you seen similar behavior or can someone validate if my theory is true?
It's an estrange behavior. Can you check your NLS_xx environment variables? Some NLS_xx variables can translate chars, for instance NLS_LANG can translate acutes from a latin charset on client to a us2ascii charset on server.
To be sure about what is going, try to trace Net connections. You'll see everything moving from a side to other. Be careful...