2

One day I was talking with a friend about one of his server applications for a little flash game. The server communicates with a mysql database. And I found this request:

"UPDATE phpbb_users SET patojdur = '" + this.score + "' WHERE user_id = '" + this.user_id + "'"

As this.score is data entered by the user, I asked him if it wasn't unsafe to put that directly in the SQL request, and take the risk of an SQL injection.

But he answered me: "No, because this.score is an user_request.split("'")[1], the split is protecting me and you can't put a ' to inject."

My question isn't if he made the right choice by doing that, because I know he won't change his mind, but What he said made me curious about a thing: is split really safe? Does it really prevent the splitted character to pass whatever you do? Or even if it's risky, put a var.split("'") finally prevent you from ' injection?

Edit: I've read the following question but mine is specific to the Split method, and doesn't apply only on SQL database, in other word my question is:

Does var.split('c') really prevent c to be in the final string?

Community
  • 1
  • 1

2 Answers2

1

'ʼ;DROP TABLE myTable--'

there are cases where Unicode conversion might slip through a single quote, since you are only explicitly replacing one representation of the sincle quote charater with an empty string (thats what split does ..)

see: https://siderite.dev/blog/why-doubling-single-quotes-is-not.html

Siderite Zackwehdex
  • 6,293
  • 3
  • 30
  • 46
light_303
  • 2,101
  • 2
  • 18
  • 35
  • Thank you, hopefully jdbc don't allow multiple querys on one statement. But as everyone said, what my friend is doing is still dangerous! –  Jun 17 '14 at 18:01
1

Still dangerous. Of course it depends on the SQL variant. Backslash is by the standard an escape. Easy would be \x27 (if that works) for apostrophe; but already havoc is possible if the injected string ends with a backslash.

Joop Eggen
  • 107,315
  • 7
  • 83
  • 138