Sunday, April 22, 2018

oracle - Delphi - prevent against SQL injection

Safe 


query.SQL.Text := 'select * from table_name where name=:Name';

This code is safe because you are using parameters.
Parameters are always safe from SQL-injection.


Unsafe


var Username: string;
...
query.SQL.Text := 'select * from table_name where name='+ UserName;

Is unsafe because Username could be name; Drop table_name;
Resulting in the following query being executed.


select * from table_name where name=name; Drop table_name;

Also Unsafe


var Username: string;
...
query.SQL.Text := 'select * from table_name where name='''+ UserName+'''';

Because it if username is ' or (1=1); Drop Table_name; --
It will result in the following query:


select * from table_name where name='' or (1=1); Drop Table_name; -- '

But this code is safe


var id: integer;
...
query.SQL.Text := 'select * from table_name where id='+IntToStr(id);

Because IntToStr() will only accept integers so no SQL code can be injected into the query string this way, only numbers (which is exactly what you want and thus allowed)


But I want to do stuff that can't be done with parameters


Parameters can only be used for values. They cannot replace field names or table names.
So if you want to execute this query


query:= 'SELECT * FROM :dynamic_table '; {doesn't work}
query:= 'SELECT * FROM '+tableName;      {works, but is unsafe}

The first query fails because you cannot use parameters for table or field names.
The second query is unsafe but is the only way this this can be done.
How to you stay safe?


You have to check the string tablename against a list of approved names. 


Const
  ApprovedTables: array[0..1] of string = ('table1','table2');
procedure DoQuery(tablename: string);
var
  i: integer;
  Approved: boolean;
  query: string;
begin
  Approved:= false;
  for i:= lo(ApprovedTables) to hi(ApprovedTables) do begin
    Approved:= Approved or (lowercase(tablename) = ApprovedTables[i]);
  end; {for i}
  if not Approved then exit;
  query:= 'SELECT * FROM '+tablename;
  ...

That's the only way to do this, that I know of.


BTW Your original code has an error:


query.SQL.Text := 'select * from table_name where name=:Name where id=:ID';

Should be 


query.SQL.Text := 'select * from table_name where name=:Name and id=:ID';

You cannot have two where's in one (sub)query

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

plot explanation - Why did Peaches' mom hang on the tree? - Movies & TV

In the middle of the movie Ice Age: Continental Drift Peaches' mom asked Peaches to go to sleep. Then, she hung on the tree. This parti...