SQL LIMIT syntax is not an effective control against SQL injection

[wireghoul]

Top 10-2017 A1-Injection says:

Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection

This statement is problematic in that if an attacker is able to insert syntax into the SQL statement then they can simply bypass the LIMIT clause by injecting a comment, stacking queries, etc. This is due to the LIMIT statement occurring last in SQL syntax.

While there may be cases where the attacker is limited in syntax and the LIMIT statement has some effect it seems rather pointless to recommend this without also recommending things that will lead to detection. This is primary screen real estate spent on a very ineffective control instead of a better control or even addressing one of the other attacks that are also listed on the page, but has no additional information:

SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries.

Cheers!

[katyanton]

👍 on this one - to remove "Limit" as control for injection

[jmanico]

Very well said Katy! +1!

[phyushin]

👍 for this being removed it's a bit misleading

[bsmelo]

Hi guys, any news on this one?

This LIMIT clause issue reached me in a rather curious manner. The OWASP Top 10 is a recurring topic for IT roles in Civil Service Examinations in Brazil. Recently, in one of the major nationwide exams, "Using LIMIT to prevent SQL Injection" was given as the correct answer to one of the questions. The first thing I thought was "Well, there's no way this can be correct"; but then a friend pointed me to the OWASP Top 10 page as the reference used by the examiners. And it's still there in the 2021 version.

Since a simple counterexample can be built with SELECT * FROM Users WHERE user_id = :user_id LIMIT 1; as the supposedly "mass disclosure-protected query" and 1 OR 1=1;-- as the attack string, the statement is clearly misleading.

[jmanico]

+1

[phyushin]

+1