SQL Injection Nonsense
As you all know we should NEVER EVER use SQL concatenation, to avoid SQL injection, but I have an app in the company I work for that was migrated to .Net and still do have some of those.
Since no problems ever occurred we didn´t change them (it would be a very big effort), but these days while we were testing a change request, something weird happened. I changed a record in the UI and ALL table records got changed! Our first thought was: "Someone forgot the Where clause in the update statement!".
How surprise were we to find out that the Application was SELF-INJECTIING! I´ll explain it further.
The Sql was something like:
Update Table set Field1 = 'string' where conditions...
It also updates several other fields, but the one that we are concerned is the string one. The problem with it is that this field was actuall the logged user´s name + the comment entered in the UI.
So the logged user name I was using was Bernardo Heynemann'. Yes with a ' at the end of my name. That shouldn´t be a problem since it would trigger an error in the SQL. UNLESS my comment is one like this:
--Comment the rest of the line!
This way the final Sql String was:
Update Table set Field1 = 'Bernardo Heynemann'--Comment the rest of the line!' where conditions...
So you can see that the where conditions will never get executed and the application has just SQL Injected itself.
That was a weird case of SQL Injection that I wanted to share with you.
#102