OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
From: Smith, Eric V. (EricSmithWINDSOR.COM)
Date: Wed Feb 09 2000 - 05:35:46 CST

Not true, at least for the case of MS Sql Server 7. The following
statement:

insert into customer (name, primary_contact)
values ('a', '4')

succeeds where primary_contact is of type int (I also tried numeric just to
be sure). I write code like this all of the time when I know the column
names but not their types.

Did you actually try this yourself before posting? What results did you
observe?

Eric.

> -----Original Message-----
> From: Jeremy Whittington [mailto:jwhittINSIDERMARKETING.COM]
> Sent: Tuesday, February 08, 2000 10:52 AM
> To: BUGTRAQSECURITYFOCUS.COM
> Subject: Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads
> advisory)
>
>
> Hello,
>
> I would like to make a comment on your statment about SQL
> Syntax and how you
> deal with numeric values.
>
> > If you're stating that you cannot enclose your numeric
> values in single
> > quotes in SQL query strings, it seems to be incorrect. I'm
> also using SQL as
> > my backend, and I've ALWAYS enclosed numbers in single
> quotes, and it has
> > always worked.
>
> When inserting data into a Numeric datatype you do not use
> single quotes around
> the values.
>
> If Field2 was a Numeric datatype in this example it would
> Fail on MS SQL Server
> 6.5, 7.0 , MS Access 97/2k, Oracle 6i+, and Dbase.
> INSERT INTO Table (Field1, Field2) Vaules('String','1')
>