Hi All,

In my program, the user has the ability to enter a password for himself. And one of the users had problems during this procedure. It turned out that he was entering the password "k\xE08"

GRANT CONNECT TO "user1" IDENTIFIED BY 'k\xE08'

and when this password was stored in the database, it turned into the string "ka8". The reason for this is understandable to me in principle - SAW considers "\xE0" the code of the letter "a".

Question: Is there any way around this transformation ?

asked 23 Apr '20, 09:21

Stalker's gravatar image

Stalker
460283045
accept rate: 11%


The password is a SQL string and hence the \xE0 portion is interpreted as an escape sequence. Likely your database charset is windows-1252 in which case character E0 is a-grave.

The question is, what did you want to have happen? If you wanted the password to be literally the six-character sequence k\xE08 then you haven't properly sanitized your inputs and your application is vulnerable to SQL-injection attacks.

To fix it, sanitize your inputs by disallowing problematic characters, properly escaping problematic characters or using a host variable.

permanent link

answered 23 Apr '20, 09:29

John%20Smirnios's gravatar image

John Smirnios
11.4k394154
accept rate: 38%

edited 23 Apr '20, 10:31

Volker%20Barth's gravatar image

Volker Barth
39.5k355539811

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×18
×15

question asked: 23 Apr '20, 09:21

question was seen: 1,271 times

last updated: 23 Apr '20, 10:31