WebApp Sec mailing list archives
Re: SQL njection 2
From: Juan Carlos Reyes Muñoz <jcreyes () 007mundo com>
Date: Sun, 20 Apr 2003 14:25:16 -0500
Most of the sql sentences can be issued via UNION clause, the matter is that you must know how many columns the first sentence is looking for and put an equal number of columns on the UNION side.
In fact, many sentences can be issued when you put "' UNION <new sentence> --" (whitout the initial an ending quotes).
You can try the insert in that way ;) jcr falcifer wrote:
how can i insert an isert command in a sql sentence that looks like select * from parameter???the database is access and when i try to insert something likepameter=table;insert%20into%20clientes(uspw,pwus)%20values('j','j') the ODBC returns this errorerror '80040e14'[Microsoft][Controlador ODBC Microsoft Access] Se encontraron caracteresdespués del final de la instrucción SQL./visornew.asp, line 10 it means: "there are characteres after the the sql sentence"
Current thread:
- SQL njection 2 falcifer (Apr 20)
- Re: SQL njection 2 Juan Carlos Reyes Muñoz (Apr 20)
- <Possible follow-ups>
- RE: SQL njection 2 Calderon, Juan C (CORP, DDEMESIS) (Apr 21)