|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Philip Wagenaar (pb.wagenaar
CHELLO.NL)Date: Wed Feb 07 2001 - 18:34:25 CST
Be sure to put an input filter on %input%. If somebody enters a string
containing ' it will crash the query.
-----Original Message-----
From: Penetration Testers [mailto:PEN-TESTSECURITYFOCUS.COM]On Behalf
Of Aurobindo Sundaram (+1 512 918 1390)
Sent: woensdag 7 februari 2001 21:08
To: PEN-TESTSECURITYFOCUS.COM
Subject: [PEN-TEST] Hacking SQL queries ...
I have to audit a bit of code that does the following
SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name
where input is the user-input. When I try the input 'test, the code
generated is
SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name
Since I'm an SQL newbie, I'd be curious to know how someone could supply
the appropriate input to do bad things on the SQL server - either in R/O or
R/W mode
If there are SQL hacking pages someplace, a link would be appreciated
Thanks,
Robin
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]