Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "SQL injection/Countermeasures/Sanitizing/Partial"
From NetSec
(Created page with "<noinclude>:<font size="-2">SQL injection > Countermeasures > Sanitizing > Partial </font><...") |
|||
Line 1: | Line 1: | ||
− | <noinclude>:<font size="-2">[[SQL injection]] > [[SQL injection/Countermeasures|Countermeasures]] > [[SQL injection/Countermeasures/Sanitizing|Sanitizing]] > | + | <noinclude>:<font size="-2">[[SQL injection]] > [[SQL injection/Countermeasures|Countermeasures]] > [[SQL injection/Countermeasures/Sanitizing|Sanitizing]] > Partial </font></noinclude> |
Partial sanitizing may affect any or more (unlisted here) of the following important syntax characters and result in them being encoded in some fashion, escaped, or removed entirely. In many circumstances, it is possible to craft injection queries without syntax characters, resulting in [[filter bypass]] and sometimes [[IDS evasion]]. | Partial sanitizing may affect any or more (unlisted here) of the following important syntax characters and result in them being encoded in some fashion, escaped, or removed entirely. In many circumstances, it is possible to craft injection queries without syntax characters, resulting in [[filter bypass]] and sometimes [[IDS evasion]]. |
Latest revision as of 05:48, 19 July 2012
- SQL injection > Countermeasures > Sanitizing > Partial
Partial sanitizing may affect any or more (unlisted here) of the following important syntax characters and result in them being encoded in some fashion, escaped, or removed entirely. In many circumstances, it is possible to craft injection queries without syntax characters, resulting in filter bypass and sometimes IDS evasion.
- The space character (or all whitespace)
- Jump to sql injection without whitespace
- The single quote and double quote characters: ', "
- Jump to sql injection without quotes
- The tag or "equals" comparative operators: <, >, and =
- Jump to sql injection without tags
- The comma character: ,
- Jump to sql injection without commas
- The parenthesis characters: ( and )