SQL Injection Help

Similar Messages

• SQL injection protection help

  In trying to help another user, I was reminded of a problem I
  face
  often. Trying to create a DW recordset using an IN clause (I
  think this
  got broken in the 8.0.2 update and seems to still be broken
  in CS3).
  I create a string held in a variable like this:
  $ids = (1,5,9,23,6)
  My advanced recordset is this:
  SELECT * FROM tbl WHERE id IN varIds
  Then I set the variable parameters to type=text,
  default=(-1), and
  runtime to $ids.
  The generated SQL doesn;t work because DW puts single quotes
  around my
  variable and the SQL query becomes invalid. DW creates this:
  SELECT * FROM tbl WHERE id IN '(1,5,9,23,6)'
  It should be:
  SELECT * FROM tbl WHERE id IN (1,5,9,23,6)
  So, I edited the SWITCH block at the top of the document to
  include a
  "custom" type, which is the same as the TEXT type but without
  the single
  quotes.
  case "custom":
  $theValue = ($theValue != "") ? $theValue : "NULL";
  break;
  Then in my SQL statement, I manually changed "text" to
  "custom".
  This work fine, but does that open me up to SQL injection or
  other bad
  stuff?
  Alec Fehl, MCSE, A+, ACE, ACI
  Adobe Community Expert
  AUTHOR:
  Microsoft Office 2007 PowerPoint: Comprehensive Course
  (Labyrinth
  Publications)
  Welcome to Web Design and HTML (Labyrinth Publications)
  CO-AUTHOR:
  Microsoft Office 2007: Essentials (Labyrinth Publications)
  Computer Concepts and Vista (Labyrinth Publications)
  Mike Meyers' A+ Guide to Managing and Troubleshooting PCs
  (McGraw-Hill)
  Internet Systems and Applications (EMC Paradigm)

  It looks like you're using PHP ... to protect from SQL
  injections I always
  do this:
  $query = "SELECT * FROM tbl WHERE col='%s' AND col2 IN
  (%d,%d)"
  $query = sprintf($query,"val",34,23);
  $result = mysql_query($query);
  This method ensures that if a user puts "DELETE FROM tbl" in
  an input
  field, it will not cause any deletions, instead the words
  'DELETE FROM tbl'
  will be inserted. Check out sprintf in the PHP manual - good
  stuff!
  One thing to remember about SQL injection, the injected SQL
  has to be
  entered somehow by the end-user (usually with a form); I may
  be wrong, but
  this sql statement looks like it is contained entirely within
  your scripts
  (i.e. it isn't getting getting a user-generated value to
  build any part of
  the SQL statement). Again, I'm guessing here - but it looks
  that way.
  Alex
  "Alec Fehl" <[email protected]> wrote in message
  news:[email protected]...
  > In trying to help another user, I was reminded of a
  problem I face often.
  > Trying to create a DW recordset using an IN clause (I
  think this got
  > broken in the 8.0.2 update and seems to still be broken
  in CS3).
  >
  > I create a string held in a variable like this:
  > $ids = (1,5,9,23,6)
  >
  > My advanced recordset is this:
  >
  > SELECT * FROM tbl WHERE id IN varIds
  >
  > Then I set the variable parameters to type=text,
  default=(-1), and runtime
  > to $ids.
  >
  > The generated SQL doesn;t work because DW puts single
  quotes around my
  > variable and the SQL query becomes invalid. DW creates
  this:
  >
  > SELECT * FROM tbl WHERE id IN '(1,5,9,23,6)'
  >
  > It should be:
  >
  > SELECT * FROM tbl WHERE id IN (1,5,9,23,6)
  >
  > So, I edited the SWITCH block at the top of the document
  to include a
  > "custom" type, which is the same as the TEXT type but
  without the single
  > quotes.
  > case "custom":
  > $theValue = ($theValue != "") ? $theValue : "NULL";
  > break;
  > Then in my SQL statement, I manually changed "text" to
  "custom".
  >
  > This work fine, but does that open me up to SQL
  injection or other bad
  > stuff?
  >
  >
  > --
  > Alec Fehl, MCSE, A+, ACE, ACI
  > Adobe Community Expert
  >
  > AUTHOR:
  > Microsoft Office 2007 PowerPoint: Comprehensive Course
  (Labyrinth
  > Publications)
  > Welcome to Web Design and HTML (Labyrinth Publications)
  >
  > CO-AUTHOR:
  > Microsoft Office 2007: Essentials (Labyrinth
  Publications)
  > Computer Concepts and Vista (Labyrinth Publications)
  > Mike Meyers' A+ Guide to Managing and Troubleshooting
  PCs (McGraw-Hill)
  > Internet Systems and Applications (EMC Paradigm)

• Sql injection attack - need help changing ASP code

  Our web server was attacked yesterday by SQL injection. So I
  quickly learned about the holes in the code that was generated by
  Dreamweaver MX 2004.
  I found the help article on the Adobe website to fix the ASP
  code; however I need more information for my particular case. I
  don't know how to get my cursor type and location settings into the
  new code.
  MY ORIGINAL CODE
  <%
  Dim Recordset1
  Dim Recordset1_numRows
  Set Recordset1 = Server.CreateObject("ADODB.Recordset")
  Recordset1.ActiveConnection = MM_Oncology_STRING
  Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE
  Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
  Recordset1.CursorType = 0
  Recordset1.CursorLocation = 3
  Recordset1.LockType = 1
  Recordset1.Open()
  Recordset1_numRows = 0
  %>
  THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE
  AND LOCATION ABOVE.
  <%
  Dim Recordset1
  Dim Recordset1_cmd
  Dim Recordset1_numRows
  Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
  Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
  Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir
  WHERE Oncology_ID = ?"
  Recordset1_cmd.Prepared = true
  Recordset1_cmd.Parameters.Append
  Recordset1_cmd.CreateParameter("param1", 5, 1, -1,
  Recordset1__MMColParam) ' adDouble
  Set Recordset1 = Recordset1_cmd.Execute
  Recordset1_numRows = 0
  %>
  What exactly is the 5,1,-1 in the code above?
  Any help would be very much appreciated as my ASP page
  (although secured from SQL injection) is not working properly.
  Thanks,
  --Jen
  --Jen

  The new snippet is not vulnerable to SQL injection. It uses a
  command
  object and actual defined parameters, so you're safe. You
  cannot change the
  cursor type or location on that object.
  "jennday" <[email protected]> wrote in
  message
  news:f85omh$ngg$[email protected]..
  > Our web server was attacked yesterday by SQL injection.
  So I quickly
  > learned
  > about the holes in the code that was generated by
  Dreamweaver MX 2004.
  > I found the help article on the Adobe website to fix the
  ASP code; however
  > I
  > need more information for my particular case. I don't
  know how to get my
  > cursor type and location settings into the new code.

• SQL Injection, replace single quote with two single quotes?

  Is replacing a single quote with two single quotes adequate
  for eliminating
  SQL injection attacks? This article (
  http://www.devguru.com/features/kb/kb100206.asp
  ) offers that advice, and it
  enabled me to allow users to search name fields in the
  database that contain
  single quotes.
  I was advised to use "Paramaterized SQL" in an earlier post,
  but I can't
  understand the concept behind that method, and whether it
  applies to
  queries, writes, or both.

  Then you can use both stored procedures and prepared
  statements.
  Both provide better protection than simply replacing
  apostrophes.
  Prepared statements are simple:
  Set myCommand = Server.CreateObject("ADODB.Command")
  ...snip...
  myCommand.CommandText = "INSERT INTO Users([Name], [Email])
  VALUES (?, ?)"
  ...snip...
  myCommand.Parameters.Append
  myCommand.CreateParameter("@Name",200,1,50,Name)
  myCommand.Parameters.Append
  myCommand.CreateParameter("@Email",200,1,50,Email)
  myCommand.Execute ,,128 'the ,,128 sets execution flags that
  tell ADO not to
  look for rows to be returned. This saves the expense of
  creating a
  recordset object you don't need.
  Stored procedures are executed in a similar manner. DW can
  help you with a
  stored procedure through the "Command (Stored Procedure)"
  server behavior.
  You can see a full example of a prepared statement by looking
  at DW's
  recordset code after you've created a recordset using version
  8.02.
  "Mike Z" <[email protected]> wrote in message
  news:eo5idq$3qr$[email protected]..
  >I should have repeated this, I am using VBScript in ASP,
  with an Access DB.
  >

• SQL Injection and variable substitutions

  Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
  with the variable substitutions in order to protect from sql injections.
  I'm using apex 3.0.0.00.20
  The trickiest component seems to be a Report of type "pl/sql returning sql", since
  multiple dynamic sql interpretations are done there.
  consider the following innocent looking disaster:
  DECLARE
  l_out VARCHAR2(2000);
  BEGIN
  l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
  RETURN l_out;
  END;
  if NAME is a single quote the report will return:
  failed to parse SQL query: ORA-00911: invalid character
  which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
  as in: '||lower('S')||'
  I also tried to put there a function that runs in a autonomous transaction to log its calls, and
  I see that it's called five times for each request.
  consider now the similar solution (notice the two single quotes):
  DECLARE
  l_out VARCHAR2(2000);
  BEGIN
  l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
  RETURN l_out;
  END;
  with this second example nothing of the above is possible.
  So my theory (please confirm it or refute it) is that there is a first variable substitution done
  at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
  Then the dynamic sql is executed and it returns the following string:
  select * from test_injection t where t.name like '%' || :NAME || '%'
  now another substitution is done (at an "APEX" level) and then query is finally executed to return
  the rows to the report.
  The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
  with the single quote), while the second substitution does.
  Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
  the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
  Thanks

  Giovanni,
  You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
  Scott

• SQL Injection -- DBA role..

  Hi all,
  I'm working as a SQL Server DBA,Now a days we are facing issue with attacks(SQL Injection),most of attacks are taken care by Firewalls but still some attacks hitting Database.
  As a DBA  How to check whether database got effected
  Please help me by providing hints and tips to analysis SQL injection.
  Thanks in advance

  There is no easy ways to detect sql injection. You should analyze activity against databases and work with developers to address it.
  Basically, you can capture sql_completed/rpc_completed events in XEvent or SQL Trace and review them. Anything, which is not parameterized, could be the subject of injection attach (it depends on Client Code and implementation). 
  As the side note, script below provides you the list of the databases together with number of cached execution plans that were used just once. SQL Injection targets non-parameterized queries. So the databases with large number of single-used plans are more
  likely to be affected. In any case, do not rely on output much - large number of single-used plans could be just the sign of bad design rather than being affected. As I said, you need to review client app code just to be sure.
  select
  epa.value as [DB ID],
  db_name(convert(int,epa.value)) as [DB Name],
  count(*) as [Single Use Plans]
  from
  sys.dm_exec_cached_plans p
  cross apply sys.dm_exec_plan_attributes(plan_handle) AS epa
  where
  p.usecounts = 1 and
  p.objtype in ('Adhoc','Prepared') and
  epa.attribute = 'dbid'
  group by
  epa.value
  option (recompile)
  Thank you!
  Dmitri V. Korotkevitch (MVP, MCM, MCPD)
  My blog: http://aboutsqlserver.com

• SQL Injection concerns

  I have been studying sql injection attacks and the
  mysql_real_escape function.
  I read the adobe technote about sql injection and it noted
  that Dreamweaver 8.0 incorporates anti-sql injection code to
  prevent attacks and it specifically refers to Add, Delete, and
  Update; Filtered Recordsets, and Login User server behaviors. Can
  anyone please confirm this to put my mind at ease?
  The Search form and results page uses a filtered recordset,
  so can I presume that it is guarded from attack?
  Can you tell me of any areas that I need to add anti-sql
  injection code myself?
  Thank you so much for your help!

  EviePhillips wrote:
  > The code on this second page (the one where the form
  posts to) ECHOs the form
  > variables. Do I need to enter the
  mysql_real_escape_string around each of the
  > ECHOed posted form variables?
  No, mysql_real_escape_string() is used only when inserting
  user input
  values into a database. You cannot use it without a database
  connection.
  However, you should pass the values to htmlentitities()
  before
  displaying them in your page. You can do this by accessing
  the Format
  menu in the Dynamic Text dialog box. After using the Bindings
  panel to
  insert the value, switch to the Server Behaviors panel, and
  double-click
  the Dynamic Text entry to open the dialog box.
  > I am then going to use the ADD Record server behavior to
  add the data to my
  > database from this page, which based on your counsel is
  fully protected from
  > sql injection.
  >
  > You are very kind for sharing your knowledge!
  > EP
  >
  David Powers, Adobe Community Expert
  Author, "The Essential Guide to Dreamweaver CS4",
  "PHP Solutions" & "PHP Object-Oriented Solutions"
  http://foundationphp.com/

• SQL Injection & CF code Attacks

  One thing I've noticed with sites using CF is that many, many
  programmers do not take into account SQL Injection and CF Form/URL
  variable attacks. I've seen SO many CF pages that blow up when the
  input varies in the slightest, displaying CF error messages,
  datasources, variable names, etc.
  Seems not enough programmers use CFTRY/CFCATCH or even know
  about it. I've seen where SQL table names and datasources were
  being passed in a URL!! It's frightening
  Interested in everyone's BEST PRACTICES to avoid these type
  of attacks.
  I'll start it off with a few I use:
  Use CFTRY / CFCATCH.
  ALWAYS set the maxlength value on form input text boxes and
  make sure the value matches the corresponding column length in your
  DB. If you do not, someone can enter a huge amount of data in the
  field, causing your CF routine or DB to choke.
  Scope all variables, URL, Form, etc.
  Use numbers/integers whenever possible for URL variable
  values.
  Avoid using varchar as the data type in your stored
  procedures for passed URL or Form variables. Use INT instead.
  Validate user input using CF before passing to your SQL, etc.
  queries. Test for allowed/disallowed characters, blanks, length of
  input value, etc.
  Use stored procedures whenever possible.
  Don't make URL or Form variable names too descriptive. ex.
  ?m=100 is better than ?memberID=100

  In addition to the things listed above, you should never
  expect the values sent from any form submission to be 100% as they
  are coded. There are tons of programs out there that can be used to
  intercept and alter the submitted data before it hits your server.
  It is a slow process, but we are locking down any and all form
  variables not just type="text" and textarea's.
  If a user has the ability to alter submitted data, they can
  change the values for all types of form fields (hidden, radio,
  checkbox, select, button, etc...). A lot of our old code did not
  take that into consideration and simply allowed the value entered
  from a "predefind" (hard coded value) form type (radio, checkbox,
  etc...) directly into the database without a check.
  Another step is to turn off "Enable Robust Exception
  Information" in the CF Administrator. This step will help in not
  giving an attacker the complete SQL statement being used in your
  code. Note: This is a recomended practice for all production CF
  servers as it is, but it never hurts to say it. CFTRY/CFCATCH
  blocks work as well to hid that info, but neither way will
  prevent an attack.
  You also can not rely on client side JavaScript for
  validation.
  CR

• SQL Injection - cfqueryparam and other techniques to stop abuse?

  We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.
  First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.
  What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.
  Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.
  Thanks for any other suggestions.

  CFqueryparam is a good fist step, though you should note that it will not protect some queries.  For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case.  You will need to review data and validate for that.
  You should also be checking for XSS vulnarabilities.
  http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in- ColdFusion
  The blog above has a great number of CF sercurity related posts.
  Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues
  http://www.petefreitag.com/item/721.cfm
  There are some open source projects that will also filter out common sql injection and xss attacks on a code level.
  http://portcullis.riaforge.org/
  Finally there are several conferences in the CF world coming up, and all surely have some security sessions.  You may want to attend.

• XML Validation using java for SQL Injection and script validation

  I have an input coming from xml file.
  I have to read that input and validate the input against sql injections and scripts.
  I require help now how to read this xml data and validate against the above two options.
  I am a java developer.
  in this context what is marshelling?

  http://www.ibm.com/developerworks/library/x-javaxmlvalidapi.html?ca=dgr-lnxw07Java-XML-Val
  http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/validation/package-summary.html
  The following code validates the xml against a xml schema
  // define the type of schema - we use W3C:
  String schemaLang = "http://www.w3.org/2001/XMLSchema";
  SchemaFactory factory = SchemaFactory.newInstance(schemaLang);
  Schema schema = factory.newSchema(new StreamSource("sample.xsd"));
  Validator validator = schema.newValidator();
  // at last perform validation:
  validator.validate(new StreamSource("sample.xml"));Message was edited by:
  haishai

• [ask] about oracle sql injection and escalation

  Hello,i'm student , i'm studying oracle,now i want to research about oracle sql injection,i had read some tuttorial such as *'Hacking Oracle From Web,Advanced SQL Injection In Oracle Databases,Oracle Hacker HandBook ...'* but when i try to demo on localserver (11.0.1.6) but not run,and this is my demo
  -- first,i created table users
  create table users (name nvarchar2(50),pass nvarchar2(50))
  -- then i created procedure with system user
  create or replace procedure system.adduser(u nvarchar2,p nvarchar2)
  as
  begin
    insert into users values(u,p);
  end;
  -- grant execute privilege to oc user
  grant execute on adduser to oc
  -- login with user oc and create a procedure
  create or replace procedure sqli
  as
  begin
    execute immediate 'grant dba to oc';
  end;
  -- and then,i run system's procedure
  declare
  begin
    system.adduser('admin','admin'' ; execute immediate  ''declare begin sqli() end;');
  end;
  i hope oracle master help me to i can understand and improving my knowledge
  Thanks

  The best forum for this is probably Forum Home » Java » SQLJ/JDBC
  Presumably you are refering to oracle.sql.TIMESTAMP. While this is intended to (and does) correspond to java.sql.Timestamp it can't be a subclass because it needs to be a subclass of oracle.sql.Datum.

• SQL injection and SQLFury

  We have recently had an SQL injection attack on our site.  The web form in question was calling a second cfm with a post command.  The second cfm did the actually db insert. After extensive research and revamping of the web form I believed that I had shut it down rather convincingly. I did the following to secure the form:
  - implemented the cfqueryparam tag on all applicable fields being entered in the form
  - introduced a hidden, random numeric variable for verification before completing the insert; it tests for its existence and if it is numeric
  - consolidated the two cfms into one page so the entry and insert are done in one cfm (to eliminate injection going directly thru insert cfm)
  However, I am still getting intermittent injection errors into my MS SQL table.  I don't believe it is getting in through the revised web form and am at a loss as to how it's getting through.
  I am now at the point that I am looking for a utility that will scan through my site or specific pages to identify SQL injection vulnerabilties.  I found something called SQLFury and downloaded it; however, there is literally no documentation with it and I have no idea how to run it.  I've researched the web and found no assistance on how to use this utility.  Is anyone familiar with this utility or does anyone know of any other utility that will assist with validating ColdFusion methods?
  Any assistance would be very much appreciated.

  Ian:
  Thanks for the information.  The utility is helpful and confirmed for me that my page was secure from SQL injection.  The additional insight you provided has lead me to discover that my issue was not an SQL injection, but a Cross Scripting attack.  A web vulnerability utility from Acunetix helped me determine that.
  Thanks again,
  ...Wes

• SQL injection embeded .js file to execute CF hack

  I am a programmer sent to investigate suspicious activity at
  a client's web application. I cannot attach a file in case of
  infection potential. The Coldfusion code is open to SQL injection
  attack which is how we believe the Apache web server became
  infected. Upon investigation we found javascript files which had
  been written with CFML code programatically scripted to fit within
  a .js javascript file and write and read data from the server.
  Has ANYONE seen this type of attack before? I cannot disclose
  the client or specific data as we are under a NDA (Non-Disclosure
  Agreement), however, I need help of other Coldfusion programmers to
  fully understand this attack. Has anyone seen CFML code programmed
  into a .js javascript file and run by calling the .js javascript
  file before?
  We have found japanese or chinese language within the code
  and within files on the server. The client states they have NOT
  installed any language packs or anything referencing other
  languages than English. There have been japanese characters found
  on the database server. There are hundreds of .js and .xml files on
  the server which reference japanese. Furthermore, we have found
  many XML files on the server,but the client does not use .xml so
  these .xml files would then be foreign and potentially
  programatically scripted by the server launching code to write
  these files under the un-knowing eyes of the client.
  So we need to understand the limits or potential threats:
  1. Can CFML scripting be embedded into a .js javascript file
  2. If database parameters are not locked, what are the
  possible attacks available to SQL injection
  Any help would be appreciated.
  Thank you in advance.
  Alex Dove

  1. Only if the server is set to parse a .js file as CFML
  2. A lot!
  http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already
  http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARA M
  Ken Ford
  Adobe Community Expert - Dreamweaver/ColdFusion
  Fordwebs, LLC
  http://www.fordwebs.com
  "ajdove" <[email protected]> wrote in
  message news:[email protected]...
  >
  > I am a programmer sent to investigate suspicious
  activity at a client's web
  > application. I cannot attach a file in case of infection
  potential. The
  > Coldfusion code is open to SQL injection attack which is
  how we believe the
  > Apache web server became infected. Upon investigation we
  found javascript
  > files which had been written with CFML code
  programatically scripted to fit
  > within a .js javascript file and write and read data
  from the server.
  >
  > Has ANYONE seen this type of attack before? I cannot
  disclose the client or
  > specific data as we are under a NDA (Non-Disclosure
  Agreement), however, I need
  > help of other Coldfusion programmers to fully understand
  this attack. Has
  > anyone seen CFML code programmed into a .js javascript
  file and run by calling
  > the .js javascript file before?
  >
  > We have found japanese or chinese language within the
  code and within files on
  > the server. The client states they have NOT installed
  any language packs or
  > anything referencing other languages than English. There
  have been japanese
  > characters found on the database server. There are
  hundreds of .js and .xml
  > files on the server which reference japanese.
  Furthermore, we have found many
  > XML files on the server,but the client does not use .xml
  so these .xml files
  > would then be foreign and potentially programatically
  scripted by the server
  > launching code to write these files under the un-knowing
  eyes of the client.
  >
  > So we need to understand the limits or potential
  threats:
  > 1. Can CFML scripting be embedded into a .js javascript
  file
  > 2. If database parameters are not locked, what are the
  possible attacks
  > available to SQL injection
  >
  > Any help would be appreciated.
  > Thank you in advance.
  > Alex Dove
  >
  >

• Sql injection character fields

  Is it true that with MSSQL in the background, character fields can't be used for sql injection?
  A)   One source says that in MSSQL single quotes are escaped into double quotes.
  B)   Another source says that " SQL injection (within ColdFusion apps) is really only an issue with non textual fields. If a text value is tampered with you'll end up with tampered text, but that text will all be part of the core string (within quotes) passed as a value, and will therefore not be executed as separate statements. Numbers, on the other hand, are not enclosed within quotes, and so extraneous text can be tampered "
  Questions about A):   How does escaping 's with "s help, by making string literals in MSSQL not valid?
                                  How could A) above be true when names like O'Mally are being stored with a single quote ?
  Questions about B)    Does it mean code like DELETE * FROM atable would just be stored as a string and not execute ?
                                  If so, is that accurate ?

  To actually answer your question's.
  A) A single quote in SQL is a comment.  To store a single quote as DATA one has to escape it by doubling it.  So to store O'Mally it would be passed as o''Mally.
  The simple SQL injection attack is to end a number value with a random value, that is followed with a ; to end the SQL statment and then another statement can be run, this is then followed by a single quote to comment out any other SQL in the original statement.  ColdFusion automatically escapes single quotes in text fields in most situations, so this is harder to do with text fields, but not impossible.

• SQL Injection Ver 2

  Hello
  I've just installed HTMLDB ver 2 into a new install of 10.2.0.1.0 (taken off OTN)and wanted to have a look at generating reports mentioned in the documentation using SQL Injection. When I click on SQL Injection I get the following message:
  "SQL Injection analysis is not supported with your current database release version. It is only available for Oracle release 10.2 or higher"
  Do I need to switch something else on for HTMLDB to recognise the version of the database?
  Any help greatly appreciated
  Regards
  Pync

  Pync,
  I'm afraid the message is a bit misleading. The packages required from Oracle (in addition to a 10.2 database) have not been distributed yet). See also our release notes on this topic:
  http://download-west.oracle.com/docs/cd/B19306_01/relnotes.102/b16374/toc.htm#CCHJAGDJ
  Sergio