2
Function RemoveSuspeitos(ByVal strTXT)
               Dim txtAux As String
               txtAux = strTXT
               txtAux = Replace(txtAux, chr(34), "")
               txtAux = Replace(txtAux, "'", "")
               RemoveSuspeitos = txtAux
End Function

DB: MSSQL

1) Forget syntax errors in the above code, I am not expert in VB.

2) Lets say I always use single or double quotes, even for int values (e.g.: '" + $int_id + "').

Is this sanitization unsafe? If yes, why? Please show me a real exploit scenario.

Gumbo
  • 2,003
  • 1
  • 13
  • 17
Lucas NN
  • 1,336
  • 8
  • 21
  • Well right off the bat I can see "delet" is spelled incorrectly so the actual "delete" keyword will never be replaced. – ilikebeets Apr 17 '14 at 05:22
  • Also, I'm no VB expert, but I'm pretty sure `txtAux = Replace(txtAux, "%22", "") '"` will result in compilation errors. – ilikebeets Apr 17 '14 at 05:32
  • [Same question on Stack Overflow.](http://stackoverflow.com/q/23125150/53114) – Gumbo Apr 17 '14 at 05:54
  • 1
    [SQL smuggling](http://security.stackexchange.com/a/54958/539) may be an issue here. – Gumbo Apr 17 '14 at 05:56

1 Answers1

3

Yes it is vulnerable. Depending on the input mechanism and the implementation I can simply append a UNION and continue the query to select additional data. I cannot give you an exact scenario without seeing the implementation and the query this string is concatenated with. Fact is that you allow input beyond the scope you will need or want.

Just use parameterized SQL, I'm sure VB supports adding parameters to your queries.

See this

ilikebeets
  • 2,646
  • 15
  • 21
  • What about escaping from the quoted string literal? – Gumbo Apr 17 '14 at 07:36
  • 1
    +1 for "just use parameterized SQL". A security-best practices tl;dr for every developer right there if ever you needed one. – Matt Apr 17 '14 at 07:38