Re: Will Insensitive Like become potential sql injection?
Re: Will Insensitive Like become potential sql injection?
- Subject: Re: Will Insensitive Like become potential sql injection?
- From: "Yung-Luen Lan" <email@hidden>
- Date: Fri, 29 Aug 2008 01:05:34 +0800
Thanks for your clarification.
If I only want a case-insensible "exact" equality, is there any easy
way to do the following?
select * from table where lower(email) = lower('y%Ll*email@hidden');
Regards,
yllan
On Fri, Aug 29, 2008 at 12:04 AM, Mike Schrag <email@hidden> wrote:
>> I wonder if that will introduce SQL injection vulnerability into my
>> system:
>> assuming adversary have * or % in his email address query string, will
>> that hurt my database security?
>
> If you are taking a string from a user and just doing "*" + thatString +
> "*", (or something like that), then, yes, they could inject additional
> regexes into that. This isn't quite SQL injection -- I guess you'd call it
> "regex injection". As far as whether or not it impacts your security, it
> really depends on how you're using the query. If you're doing "and password
> like '*..." then i suppose it could, but if you're just searching, say,
> product names and someone puts in a *, it's probably going to potentially
> just give them different results. So I guess my point is that if the
> qualifier in question is participating in a query where the results of the
> query are a security concern, then, yes, you should be careful about the
> values you accept there.
>
> ms
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden