Penetration Testing mailing list archives
Quite basic SQL injection question
From: Alexandre De Dommelin <adedommelin () tuxz net>
Date: Mon, 18 Apr 2011 09:51:46 +0200
Hi all, I'm evaluating PHP/Mysql code and I found a problem, in the following code : <?php $query=" SELECT * FROM table1 m JOIN table2 t $condition ORDER BY m.field1, t.field2 "; $db->query($query); ?> I'm able to inject everything I want into $condition, but I can't manage to make the ORDER clause to be ignored (using -- /* ...), which leads to an sql error. I'm sure it's quite stupid but I have to admit that i'm stucked ... Do you have an idea ? Bests, Alex
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Quite basic SQL injection question Alexandre De Dommelin (Apr 19)
- Re: Quite basic SQL injection question arvind doraiswamy (Apr 22)
- Re: Quite basic SQL injection question Justin Klein Keane (Apr 22)
- Re: Quite basic SQL injection question danuxx (Apr 22)