|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: sql injection with order by
From: Ernest Nelson (juridian
juridian.com)
Date: Fri Apr 08 2005 - 17:30:06 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Adding the '--' comments out everything after the sql you're putting in. It
won't work without it because you are getting a syntax error on what you are
trying to run.
-----Original Message-----
From: dietf dietf [mailto:dietfyahoo.com]
Sent: Thursday, April 07, 2005 8:52 PM
To: pen-testsecurityfocus.com
Subject: sql injection with order by
Hi all,
I am trying to make an injection with the statement below,
SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
CusID='%Customer%' ORDER BY Sira, ProjeTurID"
in the statement above I inject ")select version-- for the variable
Customer. But unless I have ended inject code with -- nothing happens.
I get
SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
FirmaID=")select version-- ORDER BY Sira, ProjeTurID"
what is the problem? can anybody tell me?
Is the problem occurs from the word ORDER BY?
Thanks
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]