Unsafe sanitization? Is this code SQLi vulnerable?

Question

Function RemoveSuspeitos(ByVal strTXT)
               Dim txtAux As String
               txtAux = strTXT
               txtAux = Replace(txtAux, chr(34), "")
               txtAux = Replace(txtAux, "'", "")
               RemoveSuspeitos = txtAux
End Function

DB: MSSQL

1) Forget syntax errors in the above code, I am not expert in VB.

2) Lets say I always use single or double quotes, even for int values (e.g.: '" + $int_id + "').

Is this sanitization unsafe? If yes, why? Please show me a real exploit scenario.

Well right off the bat I can see "delet" is spelled incorrectly so the actual "delete" keyword will never be replaced. — ilikebeets, Apr 17 '14 at 05:22
Also, I'm no VB expert, but I'm pretty sure txtAux = Replace(txtAux, "%22", "") '" will result in compilation errors. — ilikebeets, Apr 17 '14 at 05:32

score 3 · Accepted Answer · answered Apr 17 '14 at 06:01

3

Yes it is vulnerable. Depending on the input mechanism and the implementation I can simply append a UNION and continue the query to select additional data. I cannot give you an exact scenario without seeing the implementation and the query this string is concatenated with. Fact is that you allow input beyond the scope you will need or want.

Just use parameterized SQL, I'm sure VB supports adding parameters to your queries.

See this

answered Apr 17 '14 at 06:01

ilikebeets

2,896
18
25

What about escaping from the quoted string literal? – Gumbo Apr 17 '14 at 07:36
1

+1 for "just use parameterized SQL". A security-best practices tl;dr for every developer right there if ever you needed one. – Matt Apr 17 '14 at 07:38

Unsafe sanitization? Is this code SQLi vulnerable?

1 Answers1