Parameterizing SQL queries


Post #: 50
Date: 2012-10-31 00:37:48.000
Author: Rocket Man

Sometimes SQL injection comes in tricky forms. Often attackers will add on extra junk in the URL to try and confuse SQL into doing something it wasn't intended to do. For example, if the URL for page 2 is:
http://newlisponrockets.com/rockets-main.lsp?p=2

an attacker might try something like
http://newlisponrockets.com/rockets-main.lsp?p=2 OR 1=1

to try and break the code or inject some other SQL into the query by adding these commands with spaces.

I've added a function called (force-parameters) that makes it easy to prevent this. For example, to get the page number from the URL, I used to call ($GET "p"), which in this case would return "2 OR 1=1".

Now, I use the code:

(set 'current-page (force-parameters 1 ($GET "p"))) ; we only need the first part, ignore anything else

which takes only the first parameter from the URL. You can add as much extra junk after it, but it will only take the "2".


View this post in the forums

Views: 2709