1. No category

slides

Secure Software Development Course
Computer Eng. Depart. – Sharif Univ.
Ahmad Boorghany
[email protected]
Spring 1392
 Impact:


SEVERE
Steal/change/delete data
System access
 GET

http://.../?name=Bobby';DROP TABLE users –-
 POST
http://login.example.com
 name=' OR ''='&password=' OR ''=‘

 What
happens

SELECT * FROM users WHERE name='myname' AND password='mypass'

SELECT * FROM users WHERE name='' OR ''='' AND password='' OR ''=''
Secure Software Development - Sharif University
[email protected]
2
 Python:
 PHP:
Secure Software Development - Sharif University
[email protected]
3
 Python:
 PHP:
Secure Software Development - Sharif University
[email protected]
4
 Validate

mysql_real_escape_string
 Consider



all inputs:
GET variables
POST variables
HTTP Request Headers



 Do

and escape inputs
Cookie
Referrer
User Agent
NOT validate by hand!
str_replace(“'”, “\\'”, $_GET[“name”]);
Secure Software Development - Sharif University
[email protected]
5
 SQLi
in User Agent:
 SQLi
in Cookie:
Secure Software Development - Sharif University
[email protected]
6
 Parameterized
statements
 Python
 Java
Secure Software Development - Sharif University
[email protected]
7
 Be
careful of LIKE statements.
 Whenever LIKE is used, in addition to regular
escaping:

% and _ must be escaped from user input.
 Validating


functions DO NOT do this for you.
Like mysql_real_escape_string in PHP.
Or like cursor.execute escaping in Python.
 You
must do it by hand.
Secure Software Development - Sharif University
[email protected]
8
 Parameterized
Stored Procedures
 NOT all stored procedures are safe.
 Insecure sample:
Secure Software Development - Sharif University
[email protected]
9
 Secure
one:
Secure Software Development - Sharif University
[email protected]
10
 Value
types are important.
 Do NOT use mysql_real_escape_string for
integers. Cast them instead. Bad usage:
 Performance
Issue: Do not write ‘12’ instead
of 12. Otherwise the index is not used
properly.
Secure Software Development - Sharif University
[email protected]
11
 Use


parameterized queries everywhere:
NO excepted query!
NO excepted parameter!
Secure Software Development - Sharif University
[email protected]
12
1.
2.
3.
http://love-python.blogspot.com/2010/08/prevent-sqlinjection-in-python-using.html
http://blogs.msdn.com/b/brian_swan/archive/2011/02/16/
do-stored-procedures-protect-against-sql-injection.aspx
https://www.owasp.org/index.php/SQL_Injection_Preventio
n_Cheat_Sheet
Secure Software Development - Sharif University
[email protected]
13

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz