This could trick an authentication procedure into believing that a valid clientname had been provided because ’1′ = ’1′ is always true.
Prevention of SQL Injection attacks can be difficult to get right. Many security professionals will recommend stripping out characters such as single quotes but names such as O’Sullivan still need to be accepted by most applications.
I prefer to implement a layered approach to preventing SQL Injection attacks starting with strict whitelist validation on all fields which an external user can modify. Whitelist validation is simply detailing what should be contained in a field (i.e. a credit card number will only be numbers) and removing anything that doesn’t match the whitelist.
In addition to whitelists, the application’s architecture should include parameterised stored procedures which is an effective mechanism to prevent most forms of SQL Injection attacks.
Popularity: 1%
