Sybase and SQL injection
https://dba.stackexchange.com/questions/271209
-
05-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am maintaining a legacy system that uses Sybase ASE as the database. Because the system is a legacy system, the only way to create an SQL query is string concatenation (prepared statements are not possible*).
Is the below scheme sufficient for preventing SQL injection on "string" columns:
- Replace all instances of a single quote with two single quotes.
- Replace all instances of a double quote with two double quotes.
Keep in mind that the \ character is not an escape character in Sybase ASE. Also keep in mind that the columns in the selection clause and the tables in the from clause are static. The only thing that is dynamic is the where clause.
*Stored procs are not possible either, because string concatenation is needed to create the SQL query that calls the stored proc.
No correct solution
Licensed under: CC-BY-SA with attribution
Not affiliated with dba.stackexchange
