VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-Cart StoreFront Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Why need CleanChars()?
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Starting Member

4 Posts

Posted - July 12 2006 :  07:41:07  Show Profile  Visit awenzel's Homepage  Reply with Quote
I just received the security note about adding calls to CleanChars() to sanitize user input. However, it's not clear to my why this is required. The query is of the form:
select *
from TABLE
where field1='value1'
and field2='value2'

The instructions are to further sanitize the values for value1 and value2. However, those values have already had all single-quote characters removed.

My question is this: since value1 and value2 are within single-quotes, how could someone perform a sql injection attack? Anything passed to sql in those values would just be treated as a string value, and not as any sort of sql comment, right?

Thanks for any insights.



4282 Posts

Posted - July 12 2006 :  18:52:48  Show Profile  Visit support's Homepage  Reply with Quote
Hi Anthony,

Without going into too much detail, for security reasons, it is possible to complete a SQL injection of strings that are enclosed in single quotes by including single quotes in the injection string.

If the single quotes have already been cleansed from the strings then there should be no problem, but we are including the cleanchars call now as a matter of precaution.

If you have any further questions, we would be happy to answer them through our helpdesk at http://www.vpasp.com/virtprog/helpdesk

Claire Banks
VP-ASP Support
Go to Top of Page

Starting Member

4 Posts

Posted - July 14 2006 :  06:22:17  Show Profile  Visit awenzel's Homepage  Reply with Quote
Ok, that's what I thought. Thanks for the reply.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000