|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Aurobindo Sundaram (+1 512 918 1390) (sundaram
AUSTIN.APC.SLB.COM)Date: Wed Feb 07 2001 - 14:07:35 CST
I have to audit a bit of code that does the following
SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name
where input is the user-input. When I try the input 'test, the code
generated is
SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name
Since I'm an SQL newbie, I'd be curious to know how someone could supply
the appropriate input to do bad things on the SQL server - either in R/O or
R/W mode
If there are SQL hacking pages someplace, a link would be appreciated
Thanks,
Robin
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]