Penetration Testing mailing list archives
Re: [PEN-TEST] stacking SQL requests
From: Justin Shaffer <justins () SCREAMINGMEDIA COM>
Date: Thu, 31 Aug 2000 08:46:28 -0400
i could be wrong, because i havent looked into it at all, but i believe that that part of it (which lets you or doesnt let you execute multiple sql commands) is in the DBD. I think i can issue multiple commands in a single call w/ the DBI/Oracle DBD that i use. -Justin Emmanuel Gadaix wrote:
Anybody knows anything equivalent for _Oracle_ SQL ? (sending mail, executing shell commands, etc.) Thanks At 01:21 AM 31/8/2000, you wrote:You can find M$ info on xp_sendmail at: http://support.microsoft.com/support/SQL/Content/inprodhlp/_xp_sendmail.asp? LN=EN-US&SD=gn&FR=0 Please note that you have to have configured the SQLMail agent (install Outlook, setup profile, etc) for any of this to even run. As far a quoted statements, I'm under the presumption that you have to roll your own. Anyone that doesn't do any syntax checking on the queries from this type of thing is asking for it. 'drew -----Original Message----- From: Nicolas Gregoire [mailto:nicolas.gregoire () 7THZONE COM] Sent: Wednesday, August 30, 2000 11:30 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] stacking SQL requests Emmanuel Gadaix a écrit :That is, inputs such as: hisname' ; select sysdate from dual -- will result in: ERROR at line 2: ORA-00911: invalid character Anybody on the list has been playing with this on Oracle? Other databases?Do you use a interface between your web-form and your DB ? For exemple, using Perl and the DBI.pm interface with the MySQL driver, it is impossible to execute something like : (select * from CLIENTS where nom="my_name" ; drop CLIENTS ) #)" when your input is : my_name" ; drop CLIENTS ) # because the DBI perl module forbid the excution of more than one command at the same time. I don't know for other DB ...., sorry (who know about a stored-procedure in MS SQL allowing to send results by mail ?)-- Emmanuel Gadaix The Relay Group http://relaygroup.com 9A1C A656 5F15 977D 0A1B 5E11 E06F 439C 3C68 7413
-- Justin Shaffer UNIX System Administrator/IT ScreamingMedia Direct 212 659 2090 Mobile 646 734 4414
Current thread:
- Re: [PEN-TEST] stacking SQL requests Andrew Lawton (Aug 30)
- <Possible follow-ups>
- Re: [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] stacking SQL requests Justin Shaffer (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Justin Shaffer (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Michael Owen (Aug 31)