SQL Safety.
by Nathan Huffman · in Torque Game Engine · 06/13/2006 (11:12 pm) · 21 replies
Right now I'm working on making sure user supplied data is secure for SQL queries. Don't want any injection attacks.
Given my client/master server setup, just limiting the client software to 'not enter' 'bad data' in their GUI isn't secure enough, because a malicious hacker with enough know-how can easily get around that.
Therefore, I'm just asking if anyone can think of anything that could get past my current defences:
All user supplied data is checked to be equal or less to 16 characters in length, and each character must be Alphanumeric (A-Z, a-z, 0-9) -- therefore no symbols, extended ASCII (aka ALT CODES), or spaces.
From the best of my knowledge this should make sure any user supplied data is 'clean'. However, can YOU think of anything you could craft that passes my aforementioned critera check that could cause damage?
Of course this things "DROP DATABASE" isn't an issue because the space bombs out as not being alphanumeric. Doesn't matter if you made the space ALT255 "alt code character"; that's not Alphanumeric.
I'm safe from the typical web attack, double hash then malicious command, such as "--DROP DATABASE;".
I'm safe from just about anything I can think of.
Agreed?
Given my client/master server setup, just limiting the client software to 'not enter' 'bad data' in their GUI isn't secure enough, because a malicious hacker with enough know-how can easily get around that.
Therefore, I'm just asking if anyone can think of anything that could get past my current defences:
All user supplied data is checked to be equal or less to 16 characters in length, and each character must be Alphanumeric (A-Z, a-z, 0-9) -- therefore no symbols, extended ASCII (aka ALT CODES), or spaces.
From the best of my knowledge this should make sure any user supplied data is 'clean'. However, can YOU think of anything you could craft that passes my aforementioned critera check that could cause damage?
Of course this things "DROP DATABASE" isn't an issue because the space bombs out as not being alphanumeric. Doesn't matter if you made the space ALT255 "alt code character"; that's not Alphanumeric.
I'm safe from the typical web attack, double hash then malicious command, such as "--DROP DATABASE;".
I'm safe from just about anything I can think of.
Agreed?
Torque Owner Nathan Huffman
So wouldn't you be "preparing" the statement EACH time you're going to run a select? Or does it somehow get saved and you reference it somehow?
I don't see how my Torquescript function currently: (syntax errors on purpose easier to read)
%query = "SELECT * FROM accounts WHERE username = " %username ";
%result = $db.Execute(%query)
VERSUS
Preparing, binding and executing each time the function is called.
How is this preparing faster? Can you give me an example of what it should look like in a Torquescript function (psuedocode-wise even)?