Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SQL injection/Countermeasures/Sanitizing/Partial"

From NetSec
Jump to: navigation, search
(Created page with "<noinclude>:<font size="-2">SQL injection > Countermeasures > Sanitizing > Partial </font><...")
(No difference)

Revision as of 05:47, 19 July 2012

SQL injection > Countermeasures > Sanitizing > Partial

Partial sanitizing may affect any or more (unlisted here) of the following important syntax characters and result in them being encoded in some fashion, escaped, or removed entirely. In many circumstances, it is possible to craft injection queries without syntax characters, resulting in filter bypass and sometimes IDS evasion.

  • The space character (or all whitespace)
Jump to sql injection without whitespace
  • The single quote and double quote characters: ', "
Jump to sql injection without quotes
  • The tag or "equals" comparative operators: <, >, and =
Jump to sql injection without tags
  • The comma character: ,
Jump to sql injection without commas
  • The parenthesis characters: ( and )