sql injection in integer field - sql

I have an app, and the username field will convert any given value to the integer value using integer.parseint. The app uses JSP and Oracle database.
The URL has been tested with SQLMap and it is not dynamic. So, the only way I can try is via the login form, but I could not bypass it.
When I put ' or 1=1, -- ,the server return error, error for input string.
I want to inject the field, so, how can it be done?
I don't know whether I can use the alternate encoding because it will convert that to integer anyway.

It can't be done.
If the value is parsed as an integer, it can no longer contain any harmful code.

Related

DateInput yields empty strings for allowEmpty inputs

One hiccup we ran into with React Admin was around date fields for a table. We're just using the stock ra-data-json-server package. Our backend should be receiving a null value for an empty date, but it comes through as a blank string instead. What's the best approach for handling this?
Creating a custom DateInput component that yields null for an empty date.
Creating a custom data provider that would convert an empty string to null (not sure if it would have enough context to do this, though).
Something else I haven't thought of.
I'm not keen on doing the translation at the API end, since I'd like to keep the API clean and only allow for a valid date or a null value.
You can transform the input value using the parse / format functions:
https://marmelab.com/react-admin/Inputs.html#transforming-input-value-tofrom-record

VB.NET hardcoding with obfuscation trouble

I need to hardcode a string in my source code and make an "if clause check" to see if the user entered input is the same or not. I am also using EAZfuscator.net for obfuscating the code.
However, when ı use the obfuscator, I think it changes my hardcoded string and I can not perfrom the check. How can I overcome this problem? Can I use HEX values instead. How can I find the HEX values for string characters? I use webcomverters but can not seem to get the correct characters.
Thanks for all the help!

Get Text Symbol Programmatically With ID

Is there any way of programmatically getting the value of a Text Symbol at runtime?
The scenario is that I have a simple report that calls a function module. I receive an exported parameter in variable LV_MSG of type CHAR1. This indicates a certain status message created in the program, for instance F (Fail), X (Match) or E (Error). I currently use a CASE statement to switch on LV_MSG and fill another variable with a short description of the message. These descriptions are maintained as text symbols that I retrieve at compile time with text-MS# where # is the same as the possible returns of LV_MSG, for instance text-MSX has the value "Exact Match Found".
Now it seems to me that the entire CASE statement is unnecessary as I could just assign to my description variable the value of the text symbol with ID 'MS' + LV_MSG (pseudocode, would use CONCATENATE). Now my issue is how I can find a text symbol based on the String representation of its ID at runtime. Is this even possible?
If it is, my code would look cleaner and I wouldn't have to update my actual code when new messages are added in the function module, as I would simply have to add a new text symbol. But would this approach be any faster or would it in fact degrade the report's performance?
Personally, I would probably define a domain and use the fixed values of the domain to represent the values. This way, you would even get around the string concatenation. You can use the function module DD_DOMVALUE_TEXT_GET to easily access the language-dependent text of a domain value.
To access the text elements of a program, use a function module like READ_TEXT_ELEMENTS.
Be aware that generic programming like this will definitely slow down your program. Whether it would make your code look cleaner is in the eye of the beholder - if the values change rarely, I don't see why a simple CASE statement should be inferior to some generic text access.
Hope I understand you correctly but here goes. This is possible with a little trickery, all the text symbols in a report are defined as variables in the program (with the name text-abc where abc is the text ID). So you can use the following:
data: lt_all_text type standard table of textpool with default key,
lsr_text type ref to textpool.
"Load texts - you will only want to do this once
read textpool sy-repid into lt_all_text language sy-langu.
sort lt_all_Text by entry.
"Find a text, the field KEY is the text ID without TEXT-
read table lt_all_text with key entry = i_wanted_text
reference into lsr_text binary search.
If you want the address you can add:
field-symbols: <l_text> type any.
data l_name type string.
data lr_address type ref to data.
concatenate 'TEXT-' lsr_text->key into l_name.
assign (l_name) to <l_text>.
if sy-subrc = 0.
get reference of <l_text> into lr_address.
endif.
As vwegert pointed out this is probably not the best solution, for error handling rather use message classes or exception objects. This is useful in other cases though so now you know how.

Protecting against SQL injection in python

I have some code in Python that sets a char(80) value in an sqlite DB.
The string is obtained directly from the user through a text input field and sent back to the server with a POST method in a JSON structure.
On the server side I currently pass the string to a method calling the SQL UPDATE operation.
It works, but I'm aware it is not safe at all.
I expect that the client side is unsafe anyway, so any protection is to be put on the server side. What can I do to secure the UPDATE operation agains SQL injection ?
A function that would "quote" the text so that it can't confuse the SQL parser is what I'm looking for. I expect such function exist but couldn't find it.
Edit:
Here is my current code setting the char field name label:
def setLabel( self, userId, refId, label ):
self._db.cursor().execute( """
UPDATE items SET label = ? WHERE userId IS ? AND refId IS ?""", ( label, userId, refId) )
self._db.commit()
From the documentation:
con.execute("insert into person(firstname) values (?)", ("Joe",))
This escapes "Joe", so what you want is
con.execute("insert into person(firstname) values (?)", (firstname_from_client,))
The DB-API's .execute() supports parameter substitution which will take care of escaping for you, its mentioned near the top of the docs; http://docs.python.org/library/sqlite3.html above Never do this -- insecure.
Noooo... USE BIND VARIABLES! That's what they're there for. See this
Another name for the technique is parameterized sql (I think "bind variables" may be the name used with Oracle specifically).

T-SQL code for converting nvarchar string to UTF-8 (for URL percent-encoding)

I need to generate an URL string for a SSRS report (in order to link it with our CRM software). The report name is in Hebrew. When I send the URL string (with Heb) to Internet Explorer, it doesn't recognize the address because it isn't encoded with Percent-encoding (BTW, it works fine in Firefox). (Sending a URL with English only does work fine that way.)
Anyway, I tried to perform the encoding. I succeeded converting it to URI with UNICODE characters. I need to get the URI in UTF-8. For example, the letter 'י' should be converted into '%d7%99' and not to '%05%D9'.
I included a link:
A table with the codes, for your use, if needed.
I need the conversion\encoding function for 1 character. I can build the rest of the script / function for the complete string by myself.
I used a script which used the master.sys.fn_varbintohexstr function. As I said, though, the results aren't proper for IE.
the following:
SELECT master.sys.fn_varbintohexstr((CAST (N'י' AS varbinary)))
will get 0xd905, which I formatted into percent encoding. I should get 'd7 99' instead.
wrap up:
I convert an Hebrew character into URI percent encoding. I get a unicode result. I wish > to get a utf8 result.
Input = 'י'. Current output = %d9. Wanted output = %d7%99
How can I get those results?
I have had to deal with a few similar problems and there are two approaches that you may wish to consider; the first is to transform your data into HTML in the query and then render the result as HTML in the RDL, the second is to use JQuery to identify those cells with the incorrect value on the client and then transform that cell (again, using JQuery). The benefit of the second option is that if the server rendering is working on Firefox the transformation overhead doesn't get invoked. The downside is that if you are not rendering the report as HTML it won't work.
For the first option, in the select statement you would need to alter the appropriate column to produce a nvarchar value that looks like
<span style="font=yourfont;" charset="UTF-8">linkname</span>
With that string as data you then assign that to the appropriate columns (or cells, as needed)
In the RDL designer drag a placeholder for your field onto the designer and right click the placeholder and select placeholder properties then you can select to display the content as HTML.