SQL injection in oracle with sanitized input

Question

I'm looking at some old PHP code, trying to figure out if it's vulnerable to SQL injection. My boss believes it's safe, but I'm hesitant to accept that. It's using an Oracle DB.

It's old code, and the query is being built via string concatenation (sprintf). However, the user input string has all hyphens and spaces removed (via str_replace), and addslashes() is called on it. Is there still any threat of an attack in this case? Can you give an example?

Since the code was written we have moved to using parametrized queries, so ideally we update it to that, but I'm trying to prove the need to do so.

Answer 1

There are some examples of how to inject attack something using addslashes here:

• Examples of SQL Injections through addslashes()?
• http://hakipedia.com/index.php/SQL_Injection#Filter_Bypassing
• What does mysql_real_escape_string() do that addslashes() doesn't?
• http://www.itshacked.com/344/bypassing-php-security-addslashes-while-sql-injection-attacks-is-possible.html
• Is PHP's addslashes vulnerable to sql injection attack?

If that little lot does not convince the boss then maybe set up on a test server and create a POC injection against the code using what is explained in the above links to give a demonstration of an attack. A drop tables is quite dramatic as is tricking the script into spewing out the DB contents onto the page.