SQL Injections and XSS - Escaping Special Characters

Hi, hope someone can help in regards to security and SQL Injections and XSS.
We are using APEX 4.0.2 on Oracle 11.2.0.2.
1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
Surely I don't have to manually do each of then.
Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&<>' in session state and/or the database ?
2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
Thx
Nigel

Recx Ltd wrote:
Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
Apex applications that share the database with other applications will also be affected.
The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use—see 6(j).
Promotional posts like this are liable to be removed by the moderators.

Similar Messages

SQL Injection and cfqueryparam

I was told to look into <cfqueryparam> to assist in
fighting sql-injection
and it makes perfect sense, up until I thought of a different
scenario...
This tag seems great when you are dealing with numbers or
text that you can
restrict the number of characters, but what if you have a
textarea that
allows for a large amount of text to be entered? I.E. a
search field for
records that uses keywords.
How you stop someone from entering damaging sql into an area
that accepts
this?
Thanks for any education.
Wally Kolcz
MyNextPet.org
Founder / Developer
586.871.4126

WebDev wrote:
It works because <cfqueryparam ....> tells the DBMS
that this data is a
value NOT SQL. The DBMS will then never process it as SQL.
When you
write the SQL and Values straight into the code, then the
DBMS does not
know what is what and assumes it all must be SQL.
An Example...
<cfquery ....>
SELECT aField FROM aTable WHERE aField = '#aValue#'
</cfquery>
With this code, ColdFusion process the entire body of the
<cfquery...>
tag into a string and sends that entire string to the DBMS as
SQL. The
DBMS then processes what it was given. If somebody can modify
the
aValue variable to change the SQL string - that is what is
processed.
<cfquery ...>
SELECT aField FROM aTable WHERE aField = <cfqueryParam
value="#aValue#"...>
</cfquery>
With this code ColdFusion process the SQL and the queryParam
as separate
things. It sends the DBMS the SQL with parameters and a list
of values
to be used in those parameters. The DBMS knows the parameters
are not
SQL and will not process it as SQL and if the parameter
contains SQL it
will just be used as a value and not parsed.
FYI... That is how <cfqueryparam...> can improve
performance. By
knowing what parts of the SQL are variables, it can cache the
SQL and
just use different variables when they are passed to the
DBMS.
HTH
Ian

XML Validation using java for SQL Injection and script validation

I have an input coming from xml file.
I have to read that input and validate the input against sql injections and scripts.
I require help now how to read this xml data and validate against the above two options.
I am a java developer.
in this context what is marshelling?

http://www.ibm.com/developerworks/library/x-javaxmlvalidapi.html?ca=dgr-lnxw07Java-XML-Val
http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/validation/package-summary.html
The following code validates the xml against a xml schema
// define the type of schema - we use W3C:
String schemaLang = "http://www.w3.org/2001/XMLSchema";
SchemaFactory factory = SchemaFactory.newInstance(schemaLang);
Schema schema = factory.newSchema(new StreamSource("sample.xsd"));
Validator validator = schema.newValidator();
// at last perform validation:
validator.validate(new StreamSource("sample.xml"));Message was edited by:
haishai

Strategies for escaping special characters.

Hi all,
Our app(built using Workshop) needs to have a generic way of scrubbing special
characters that a user might enter in the UI,and which might cause our sql that
queries the DB to become malformed. To explain further,some of our DB controls
are not using PreparedStatements to set Strings..instead, we are constructing
the sql as a java string like:
String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
and then we do:
Statement stmt=conn.createStatement();
stmt.executeQuery(myQuery).
In such cases, Oracle JDBC driver does not escape any special chars in the String
param,and fails.Other than converting all our queries to use PreparedStatements,
is there a generic pattern/Util class(mebbe RequestUtils) or some way of using
the Servlet Filter API to scrub out any special chars that are input by the user?
Thanks in advance.
Vik.

ServletFilter is the way to go on this one. Don't think there is anything built
into Servlet spec that handles these characters, however, there are a number of
sample filters that do such a task. I think there is a sample in either the O'Reilly
book on Servlets or Core Servlets.
"Vik" <[email protected]> wrote:
>
Hi all,
Our app(built using Workshop) needs to have a generic way of scrubbing
special
characters that a user might enter in the UI,and which might cause our
sql that
queries the DB to become malformed. To explain further,some of our DB
controls
are not using PreparedStatements to set Strings..instead, we are constructing
the sql as a java string like:
String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
and then we do:
Statement stmt=conn.createStatement();
stmt.executeQuery(myQuery).
In such cases, Oracle JDBC driver does not escape any special chars in
the String
param,and fails.Other than converting all our queries to use PreparedStatements,
is there a generic pattern/Util class(mebbe RequestUtils) or some way
of using
the Servlet Filter API to scrub out any special chars that are input
by the user?
Thanks in advance.
Vik.

How to escape special characters in Simple Transformation

Hi Experts,
I have got a problem to get a well formed xml document from the below simple transformation. The content of maktx contains
special characters like & <, which are not allowed in a well formed XML-Document. But the result of the Simple Transformation
contains this charcters even after the transformation as you can the in the result below. Has anyone a hint how to escape the
characters included in the maktx.
The transformation for maktx, should be something like
Before: Material & < TEST
After: Material &amp &lt TEST
Report wihich calls the simple transformation
types:
BEGIN OF t_mat,
 matnr type matnr,
 maktx type maktx,
end of t_mat.
Data:
mat type t_mat,
xml_stream type xstring.
START-OF-SELECTION.
mat-matnr = '4711'.
mat-maktx = 'Material & < Test'.
CALL TRANSFORMATION ztest_st2
 SOURCE mat = mat
 RESULT XML xml_stream.
CALL FUNCTION 'DISPLAY_XML_STRING'
EXPORTING xml_string = xml_stream.
Simple Transformation
<?sap.transform simple?>
<tt:transform xmlns:tt="http://www.sap.com/transformation-templates">
<tt:root name="MAT"/>
<tt:template>
 <Leistungsschild>
 <CHARACT> MATNR </CHARACT>
 <CHARACT_DESCR> Materialnummer </CHARACT_DESCR>
 <VALUE tt:value-ref="MAT.MATNR"/>
 <CHARACT> MAKTX </CHARACT>
 <CHARACT_DESCR> Materialkurztext </CHARACT_DESCR>
 <VALUE tt:value-ref="MAT.MAKTX" />
 </Leistungsschild>
</tt:template>
</tt:transform>
RESULT
<?xml version="1.0" encoding="utf-8" ?>
<Leistungsschild>
<CHARACT>MATNR</CHARACT>
<CHARACT_DESCR>Materialnummer</CHARACT_DESCR>
<VALUE>4711</VALUE>
<CHARACT>MAKTX</CHARACT>
<CHARACT_DESCR>Materialkurztext</CHARACT_DESCR>
<VALUE>Material & < Test</VALUE> </Leistungsschild>

Hi Sandra,
First of all thaks for your quick answer to my problem.
I see what you mean and get the same result, if I am using data-type string instead of xstring. But the recommendation in the XML-Books of SAP is to use XSTRING to save memory and circumflex problems between Codepages, when writing the XML-Stream to a filesystem.
As you can see in the code abvoe I am using a SAP-FM to display the XML-Stream and this FM works only with XSTRING´s,
that is one reason why I don´t understand that it displays it in the wrong way.
Even the Debugger shows me for the XSTRING the wrong result. Does all that mean that the escaping will not be applyed if you are working with XSTING´s??

SQL Injection and variable substitutions

Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
with the variable substitutions in order to protect from sql injections.
I'm using apex 3.0.0.00.20
The trickiest component seems to be a Report of type "pl/sql returning sql", since
multiple dynamic sql interpretations are done there.
consider the following innocent looking disaster:
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
RETURN l_out;
END;
if NAME is a single quote the report will return:
failed to parse SQL query: ORA-00911: invalid character
which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
as in: '||lower('S')||'
I also tried to put there a function that runs in a autonomous transaction to log its calls, and
I see that it's called five times for each request.
consider now the similar solution (notice the two single quotes):
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
RETURN l_out;
END;
with this second example nothing of the above is possible.
So my theory (please confirm it or refute it) is that there is a first variable substitution done
at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
Then the dynamic sql is executed and it returns the following string:
select * from test_injection t where t.name like '%' || :NAME || '%'
now another substitution is done (at an "APEX" level) and then query is finally executed to return
the rows to the report.
The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
with the single quote), while the second substitution does.
Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
Thanks

Giovanni,
You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
Scott

Oracle SQL query for getting specific special characters from a table

Hi all,
This is my table
Table Name- Table1
S.no Name
1 aaaaaaaa
2 a1234sgjghb
3 a@3$%jkhkjn
4 abcd-dfghjik
5 bbvxzckvbzxcv&^%#
6 ashgweqfg/gfjwgefj////
7 sdsaf$([]:'
8 <-fdsjgbdfsg
9 dfgfdgfd"uodf
10 aaaa bbbbz#$
11 cccc dddd-/mnm
The output has to be
S.no Name
3 a@3$%jkhkjn
5 bbvxzckvbzxcv&^%#
7 sdsaf$([]:'
8 <-fdsjgbdfsg
10 aaaa bbbbz#$
It has to return "Name" column which is having special characters,whereas some special chars like -, / ," and space are acceptable.
The Oracle query has to print columns having special characters excluding -,/," and space
Can anyone help me to get a SQL query for the above.
Thanks in advance.

You can achieve it in multiple ways. Here are few.
SQL> with t
2 as
3 (
4 select 1 id, 'aaaaaaaa' name from dual union all
5 select 2 id, 'a1234sgjghb' name from dual union all
6 select 3 id, 'a@3$%jkhkjn' name from dual union all
7 select 4 id, 'abcd-dfghjik' name from dual union all
8 select 5 id, 'bbvxzckvbzxcv&^%#' name from dual union all
9 select 6 id, 'ashgweqfg/gfjwgefj////' name from dual union all
10 select 7 id, 'sdsaf$([]:''' name from dual union all
11 select 8 id, '<-fdsjgbdfsg' name from dual union all
12 select 9 id, 'dfgfdgfd"uodf' name from dual union all
13 select 10 id, 'aaaa bbbbz#$' name from dual union all
14 select 11 id, 'cccc dddd-/mnm' name from dual
15 )
16 select *
17 from t
18 where regexp_like(translate(name,'a-/" ','a'), '[^[:alnum:]]');
 ID NAME
 3 a@3$%jkhkjn
 5 bbvxzckvbzxcv&^%#
 7 sdsaf$([]:'
 8 <-fdsjgbdfsg
 10 aaaa bbbbz#$
SQL> with t
2 as
3 (
4 select 1 id, 'aaaaaaaa' name from dual union all
5 select 2 id, 'a1234sgjghb' name from dual union all
6 select 3 id, 'a@3$%jkhkjn' name from dual union all
7 select 4 id, 'abcd-dfghjik' name from dual union all
8 select 5 id, 'bbvxzckvbzxcv&^%#' name from dual union all
9 select 6 id, 'ashgweqfg/gfjwgefj////' name from dual union all
10 select 7 id, 'sdsaf$([]:''' name from dual union all
11 select 8 id, '<-fdsjgbdfsg' name from dual union all
12 select 9 id, 'dfgfdgfd"uodf' name from dual union all
13 select 10 id, 'aaaa bbbbz#$' name from dual union all
14 select 11 id, 'cccc dddd-/mnm' name from dual
15 )
16 select *
17 from t
18 where translate
19 (
20 lower(translate(name,'a-/" ','a'))
21 , '.0123456789abcdefghijklmnopqrstuvwxyz'
22 , '.'
23 ) is not null;
 ID NAME
 3 a@3$%jkhkjn
 5 bbvxzckvbzxcv&^%#
 7 sdsaf$([]:'
 8 <-fdsjgbdfsg
 10 aaaa bbbbz#$
SQL>

SQL Injection and Java Regular Expression: How to match words?

Dear friends,
I am handling sql injection attack to our application with java regular expression. I used it to match that if there are malicious characters or key words injected into the parameter value.
The denied characters and key words can be " ' ", " ; ", "insert", "delete" and so on. The expression I write is String pattern_str="('|;|insert|delete)+".
I know it is not correct. It could not be used to only match the whole word insert or delete. Each character in the two words can be matched and it is not what I want. Do you have any idea to only match the whole word?
Thanks,
Ricky
Edited by: Ricky Ru on 28/04/2011 02:29

Avoid dynamic sql, avoid string concatenation and use bind variables and the risk is negligible.

Escaping special characters

Environment:
Client: win2k sp4, 10.2 client
Server: 9.2 on solaris 9
Is there any way to set an escape character?
Many times we have '&' characters in strings in procedures, and when I try to compile them sqldeveloper prompts for a value thinking that it is a variable.
I've tried the default '\', and 'set escape on' doesn't work either.
Would be even better if there was an option in sqldeveloper to tell it to ignore the '&' character alltogether.
Thanks.

not really the answer I was looking for :(
the devs would end up driving me nuts wondering what all the CHR stuff is in their code.
i guess for now, i'll just keep using PLedit to compile all the procs that have any special chars.
...someday we'll have one tool that does everything ;)

Escape special characters for OData response

Hi all,
I'm facing a problem on HTTP response when some special characters are in my entity fields.
For example I've got a Edm.String field which has characters like ###, ", < (two number signs ## are ok, but three invoke an error)
When I set output format to xml via URI parameter $format=xml, I get following error:
<message xml:lang="en">In the context of Data Services an unknown internal server error occured</message>
Exception /IWCOR/CX_DS_INTERNAL_ERROR in class /IWCOR/CL_DS_EP_WRITER_OUTPUT method /IWCOR/IF_DS_EP_WRITER_OUTPUT~WRITE and Line 39
If I use JSON as output format, HTTP response code is 200!!, but payload just ends on the character which cannot be interpreted:
(ABAP)-JSON generator can handle double quotes much better than XML format:
How can I escape these output strings, without adding chars which will appear in response payload?
Thanks,
Steffen

Hi Uwe & Ron,
thanks for your ideas, but maybe we're not talking about binary data?! This field is an example from TADIR table.
OData entity definition for this field:
Versid
Edm.String
0
0
20
ABAP field definition:
Data Type CHAR - Character String
No. Characters 20
Decimal Places 0
Output Length 20
Convers. Routine <empty>
Uwe did you mean another debugger view?
SE16 output for this line:
What if I want to store and receive data with these special chars like ####, ", <, >,... in a ABAP char field (respective OData Edm.String)?
Thanks,
Steffen

Escaped (special) Characters Aren't Rendering Properly

We upgraded our development server from apex 3.0 to 3.1 recently and I notice now that escaped characters on one of my pages don't display properly. Specifically, in my "Display as Text (saves state)" item, the text 
&.#.9.5.5.2.;.&.#.9.5.5.2.;. New Sheet &.#.9.5.5.2.;&.#.9.5.5.2.;. 
(The item definition doesn't contain any of the periods)

that displays on our production (3.0) server like this 
══ New Sheet ══
displays on our development server literally like this
&.#.9.5.5.2.;.&.#.9.5.5.2.;. New Sheet ... (excluding the periods)
The item source is "pl/sql function body" and the source expression is a simple series of if statements that returns the appropriate escaped text.
Any idea what I can do to fix this problem?

Hi Tom,
I researched this issue (and Scott will vet my conclusion).
I apologize for changing the behavior of your production application. This change was made to fix a different bug (6707591) in Application Express, where entity references were not properly being escaped when rendering a page.
Even though this change will cause a change in behavior of an existing application, I believe this change is correct and should remain. For an item type of Display as Text (saves state)", and the source value of this item is:
&#9552;&#9552; New Sheet &#9552;&#9552;
when someone submits the page, session state will be updated with the interpreted and non-escaped value. I.e, the session state value would now be:
══ New Sheet ══
This is incorrect.
This is the way this item type "Display as Text (saves state)" should have behaved all along. If you do not wish to have the item value escaped on rendering, then, as Scott suggested, the item type "Display as Text (does not save state)" should be used.
Thanks for pointing this out.
Joel

Howto escape special characters if using regexp_replace & regexp_substr

hello experts,
following test case
insert into querytest1 (d) values
('#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11');
select regexp_replace(d, REGEXP_SUBSTR (REGEXP_SUBSTR(d, '[^ ]+', 1, 1), '[^:]+', 1, 2 ),'') from querytest1;
ERROR at line 1:
ORA-12726: unmatched bracket in regular expression
proof that []{} special characters are the problem:
delete from querytest1;
commit;
-- insert data without special characters
insert into querytest1 (d) values ('#1(170):"type":"FACEBOOK","count":0,"lastEdition":1382627403299,"type":"GOOGLE","count":0,"lastEdition":1381825285002,"type":"EMAIL","count":2,"lastEdition":1381826322925] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11');
select regexp_replace(d, REGEXP_SUBSTR (REGEXP_SUBSTR(d, '[^ ]+', 1, 1), '[^:]+', 1, 2 ),'') from querytest1;
REGEXP_REPLACE(D,REGEXP_SUBSTR(REGEXP_SUBSTR(D,'[^]+',1,1),'[^:]+',1,2),'')
#1(170)::"FACEBOOK","count":0,"lastEdition":1382627403299,:"GOOGLE","count":0,"lastEdition":1381825285002,:"EMAIL","count":2,"lastEdition":1381826322925,:"EMAIL","count":2,"lastEdition":1381826322925] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11
so now it works because there are no special characters []{}
is there a way to escape them?
thank you in advance.

oraman wrote:
ok you're right I explain from the beginning.
create table t (q varchar2(4000), d varchar2(4000), result varchar2(4000));
insert into t (q,d) values ('#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11',
'UPDATE mytable set value=:1 , valuec=:2 , longvalue=:3 , doublevalue=:4 WHERE productattrnameid=:5 AND productid=:6   AND context=:7');
I would like to get the following:
select result from t;
UPDATE mytable set value='[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}]' , valuec=NULL , longvalue=-3141 , doublevalue=-3141 WHERE productattrnameid=21804 AND productid=3890750   AND context='s11';
the logic is to get the auditing data as ready to execute queries.
It looks you want to include every parameter where parameter is a pattern prefixed by #p1(lenght):param_value #p2(lenght):param_value etc.
Something like this?
set line 1000
col txt format a200
with querytest1 as
select '#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11' d
from dual
select 'UPDATE mytable set value='''|| nvl(trim(regexp_substr (d,'#\d+$\d+$:([^# ]+)', 1, 1, null, 1 )), 'NULL')||''''
       || chr(10) ||'     , valuec='||nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 2, null, 1 )), 'NULL')
       || chr(10) ||'     , longvalue='|| nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 3, null, 1 )),'NULL')
       || chr(10) ||'     , doublevalue='||nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 4, null, 1 )),'NULL')
       || chr(10) ||' WHERE productattrnameid='||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 5, null, 1 )
       || chr(10) ||'   AND productid='||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 6, null, 1 )
       || chr(10) ||'   AND context='''||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 7, null, 1 )||''';' txt
from querytest1;
Result:
TXT
UPDATE mytable set value='[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}]'
     , valuec=NULL
     , longvalue=-3141
     , doublevalue=-3141
WHERE productattrnameid=21804
   AND productid=3890750
   AND context='s11';
1 row selected.
I have a problem formatting the output in the forum but I hope you get it.
Regards.
Alberto

SQL Loader doesn't handle special characters

Hi All:
My DB characterset and NLS characterset is UTF8.
When i tried to insert records with SQL *Loader having special characters, it doesn't get stored correctly, so when i try to get it out thru' SQLPlus Worksheet, it displays garbage characters.
Do we have to set something in the control file?
Pls. help.

You need to create the data file in UTF8 format. For eg. On Win2K, "Save As" in Notepad as UTF8. Or use the uniconv utility to convert the data file to utf8.
Here is an example of a control file
'sqlldr32.cnt'
load data
infile 'sqlldr32.dat'
APPEND into table nls_demo
fields terminated by ',' optionally enclosed by '"'
(myno char(10),
myname char(40),
mydesc char(1000))
null

Escape special characters in url for redirection

In my web page, I want all the characters of the URL to be lower case. For that I created the following method:
private bool UrlFormatoCorrecto(string url)
bool formatoCorrecto = true;
bool upperCa = url.Any(c => char.IsUpper(c));
if (url.Any(c => char.IsUpper(c)))
formatoCorrecto = false;
if (url.Contains(" ") || url.Contains("+"))
formatoCorrecto = false;
return formatoCorrecto;
This works like a charm until a special character appears. The url that I get then will be the following:
http://localhost/web/coches/proven%C3%A7a-aribau,-08036-barcelona,-barcelona
So I have upper case characters. When I redirect it using the following code:
if (!UrlFormatoCorrecto(urlActual))
Response.RedirectPermanent(urlActual.Replace(" ", "-").Replace("+", "-").ToLower());
I get the code again with the same URL with upper case. How can I escape the special characters so they won't bother me anytime I want to make the redirection?

hello,
you could escape special caracters with :
Regex.Escape Method
Regards
Cédric

[ask] about oracle sql injection and escalation

Hello,i'm student , i'm studying oracle,now i want to research about oracle sql injection,i had read some tuttorial such as *'Hacking Oracle From Web,Advanced SQL Injection In Oracle Databases,Oracle Hacker HandBook ...'* but when i try to demo on localserver (11.0.1.6) but not run,and this is my demo
-- first,i created table users
create table users (name nvarchar2(50),pass nvarchar2(50))
-- then i created procedure with system user
create or replace procedure system.adduser(u nvarchar2,p nvarchar2)
as
begin
insert into users values(u,p);
end;
-- grant execute privilege to oc user
grant execute on adduser to oc
-- login with user oc and create a procedure
create or replace procedure sqli
as
begin
execute immediate 'grant dba to oc';
end;
-- and then,i run system's procedure
declare
begin
system.adduser('admin','admin'' ; execute immediate ''declare begin sqli() end;');
end;
i hope oracle master help me to i can understand and improving my knowledge
Thanks

The best forum for this is probably Forum Home » Java » SQLJ/JDBC
Presumably you are refering to oracle.sql.TIMESTAMP. While this is intended to (and does) correspond to java.sql.Timestamp it can't be a subclass because it needs to be a subclass of oracle.sql.Datum.

SQL Injections and XSS - Escaping Special Characters

Similar Messages

Maybe you are looking for