Looking for a SQL injection demonstration

Question

I'm a web applications developer, using Classic ASP as server side script.

I always protect my apps from SQL injection by using a simple function to double single apostrophe for string parameters.

Function ForSQL(strString)  
  ForSQL = Replace(strString, "'", "''")  
End Function

For numeric parameters, I use the CInt, CLng and CDbl functions.

I often write concatenated query; I don't always use stored procedure and I don't always validate user inputs.

I'd like to ask you if someone can show me a working attack against this line of code:

strSQL = "SELECT Id FROM tUsers WHERE Username='" & _
         ForSQL(Left(Request.Form("Username"),20)) & "' AND Password='" & _ 
         ForSQL(Left(Request.Form("Username"),20)) & "'"

It could be a banality but I've never found a kind of attack that works.

I asked a similar question: http://stackoverflow.com/questions/8506574/sql-injection-isnt-replace-good-enough — Mr Lister, Apr 12 '12 at 18:51

score 0 · Answer 1 · answered Apr 15 '12 at 02:16

I've always found "sqli helper 2.7" (you can download it) to find most/all SQL injections. I'm not sure if this will help at all, but it will at least help test for all of the SQL comments and everything. I remember on one of my sites it found a main SQL injection to dumb all of my database data. It's not exactly what you're looking for, but it might be able to find a way through.

Nathan Rice · Answer 2 · 2012-04-12T22:47:14.723

-3

There is no functioning SQL injection for input sanitized this way. The downside is retrieving data from the database is you have to replace on double apostrophes.

sDataRetrievedFromDatabase = Replace(sDataRetrievedFromDatabase, "''", "'")

edited Apr 12 '12 at 22:47

answered Apr 12 '12 at 22:15

Nathan Rice

3,091
1
20
30

I'm sorry but I didn't understand your answer. I'm italian, maybe I cannot understand english in correct way. Can you explain with an example? – danylele Apr 12 '12 at 22:37
I see your example. But I cannot understand why I have to replace the double apostrophes to a single apostroph. When I write an double apos in the db... It considers only one. – danylele Apr 12 '12 at 23:03
In my experience this is not the case. When I return the data I need to do this replace to return the data to single apostrophe. – Nathan Rice Apr 12 '12 at 23:06
With MS SQL Server if you INSERT INTO Temp(Field1) ('''') the DB saves only one single quote. If you SELECT * FROM Temp the result is only ' (a single quote, not two)... so... no need to replace... – danylele Apr 12 '12 at 23:11
This is incorrect. See the link that Mr Lister posted as a comment to the question for some examples. – Cheran Shunmugavel Apr 13 '12 at 16:31

Looking for a SQL injection demonstration

2 Answers2