Detection of SQL Injection and Cross-site Scripting Attacks: "2.1 Regex for detection of SQL meta-characters
/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix
Explanation:
We first detect either the hex equivalent of the single-quote, the single-quote itself or the presence of the double-dash. These are SQL characters for MS SQL Server and Oracle, which denote the beginning of a comment, and everything that follows is ignored. Additionally, if you're using MySQL, you need to check for presence of the '#' or its hex-equivalent. Note that we do not need to check for the hex-equivalent of the double-dash, because it is not an HTML meta-character and will not be encoded by the browser. Also, if an attacker tries to manually modify the double-dash to its hex value of %2D (using a proxy like Achilles [ref 5]), the SQL Injection attack fails."
The more I read, the more I acquire, the more certain I am that I know nothing. -Voltaire
Subscribe to:
Post Comments (Atom)
Ramadan - What is it?
Ramadan is one of the most important and holy months in the Islamic calendar. It is a time of fasting, prayer, and spiritual reflection fo...
-
ZipStudio - A versatile Visual Studio add-in to zip up Visual Studio solutions and projects - The Code Project - C# Programming
-
TargetProcess - Agile Project Management & Bug Tracking Software | Download (Project Management Software, Project Tracking, Bug Tracking...
No comments:
Post a Comment