Magic Quotes

In the course of the last penetration testing, I had an occasion to work with the following web application architecture:

I guess you will ask me, what’s wrong here?

The problem is that Oracle is not MySQL, and it simply doesn’t \”know\” about any shielding in the form of backlashes 🙂 Oracle doesn’t consider the concept of shielding at all, because it’s a serious DBMS:

It should be mentioned that we have met a lot of Oracle DBMSs during the last penetration testing, and most of them contained the described vulnerability, i.e. they had a universal login \”\’or(1)=(1)–\” (aka SQL Injection).

A similar feature of interpretation of a backslash (\”\\\”) as an independent symbol is characteristic for Microsoft SQL Server, too:

For the Sybase database, we have:

Thus, it is necessary to take such features of DBMSs into account in the course of programming and porting your applications to various databases to avoid problems relating to SQL Injection.

Comment: this topic was described by Bernardo Damele [1,2] in his blog one year ago, but the practice shows that the problem is still urgent.

2 thoughts on “Magic Quotes

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.