Parameterizing SQL queries

Blog post

Author
Message

Rocket Man
Posts: 383
Posted on: 2012-10-31 00:37:48.000
Sometimes SQL injection comes in tricky forms. Often attackers will add on extra junk in the URL to try and confuse SQL into doing something it wasn't intended to do. For example, if the URL for page 2 is:
http://newlisponrockets.com/rockets-main.lsp?p=2

an attacker might try something like
http://newlisponrockets.com/rockets-main.lsp?p=2 OR 1=1

to try and break the code or inject some other SQL into the query by adding these commands with spaces.

I've added a function called (force-parameters) that makes it easy to prevent this. For example, to get the page number from the URL, I used to call ($GET "p"), which in this case would return "2 OR 1=1".

Now, I use the code:

(set 'current-page (force-parameters 1 ($GET "p"))) ; we only need the first part, ignore anything else

which takes only the first parameter from the URL. You can add as much extra junk after it, but it will only take the "2".


Views: 5183