Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL LIMIT syntax is not an effective control against SQL injection #474

Open
wireghoul opened this issue Aug 22, 2019 · 6 comments · May be fixed by #721
Open

SQL LIMIT syntax is not an effective control against SQL injection #474

wireghoul opened this issue Aug 22, 2019 · 6 comments · May be fixed by #721

Comments

@wireghoul
Copy link

Top 10-2017 A1-Injection says:

Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection

This statement is problematic in that if an attacker is able to insert syntax into the SQL statement then they can simply bypass the LIMIT clause by injecting a comment, stacking queries, etc. This is due to the LIMIT statement occurring last in SQL syntax.

While there may be cases where the attacker is limited in syntax and the LIMIT statement has some effect it seems rather pointless to recommend this without also recommending things that will lead to detection. This is primary screen real estate spent on a very ineffective control instead of a better control or even addressing one of the other attacks that are also listed on the page, but has no additional information:

SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries.

Cheers!

@vanderaj vanderaj added this to the Top 10 2017 Follow-up milestone Sep 26, 2019
@katyanton
Copy link

👍 on this one - to remove "Limit" as control for injection

@jmanico
Copy link
Member

jmanico commented Sep 27, 2021 via email

@phyushin
Copy link

👍 for this being removed it's a bit misleading

@bsmelo
Copy link

bsmelo commented May 21, 2022

Hi guys, any news on this one?

This LIMIT clause issue reached me in a rather curious manner. The OWASP Top 10 is a recurring topic for IT roles in Civil Service Examinations in Brazil. Recently, in one of the major nationwide exams, "Using LIMIT to prevent SQL Injection" was given as the correct answer to one of the questions. The first thing I thought was "Well, there's no way this can be correct"; but then a friend pointed me to the OWASP Top 10 page as the reference used by the examiners. And it's still there in the 2021 version.

Since a simple counterexample can be built with SELECT * FROM Users WHERE user_id = :user_id LIMIT 1; as the supposedly "mass disclosure-protected query" and 1 OR 1=1;-- as the attack string, the statement is clearly misleading.

cmlh added a commit to cmlh/Top10 that referenced this issue Jun 2, 2022
cmlh added a commit to cmlh/Top10 that referenced this issue Jun 2, 2022
@cmlh cmlh linked a pull request Jun 2, 2022 that will close this issue
@jmanico
Copy link
Member

jmanico commented Jun 14, 2022

+1

1 similar comment
@phyushin
Copy link

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants