On 6/7/25 14:56, Adrian Klaver wrote:
On 6/7/25 14:18, Glen K wrote:
I don't believe that this would move the needle on SQL-injection
safety by enough to be worth doing. An injection attack is normally
trying to break out of a quoted string, not a comment.
Yes, SQL injections frequently involve escaping quoted strings, but if
you do a search for SQL injection examples, you will find that most of
them (I would say 90% or more) also use comments to remove the
remainder of the SQL statement from consideration. Here is one example
where an attacker specifies "admin'--;" as the username:
SELECT * FROM members WHERE username = 'admin'--;' AND password =
'password';
The comment in this example removes the password from inclusion in the
statement, allowing the attacker to login as admin without a password.
Really?
select username, first_name, last_name from auth_user where username =
'aklaver';
username | first_name | last_name
----------+------------+-----------
aklaver | Adrian | Klaver
select username, first_name, last_name from auth_user where username =
'aklaver--;' and password = 'password';
username | first_name | last_name
----------+------------+-----------
(0 rows)
Oops, missed a quote:
select username, first_name, last_name from auth_user where username =
'aklaver'--;' and password = 'password';
production-#
Still I don't see how this would work, even if you add another ';' and got:
production=# select username, first_name, last_name from auth_user where
username = 'aklaver'--;' and password = 'password';
production-# ;
username | first_name | last_name
----------+------------+-----------
aklaver | Adrian | Klaver
What authentication system are you using that does not actually verify
the password and allows entry for a zero return result?
--
Adrian Klaver
adrian.kla...@aklaver.com
