Security Basics mailing list archives
Re: about SQL injection
From: Mert Eren ÜSTÜNKAYA <mustunkaya () cepdunyasi com>
Date: Wed, 6 Apr 2005 10:12:03 +0300
Hi,If you used sa acount on connecting to jdbc/odbc or whatever. It is possible that your db is owned right now.
just he/she needs the table ,db names. select * from xxx where id=' when concat with the input field2' or 1=1; delete from xxx --
Example:select * from xxx where id='2' or 1=1; delete from xxx --
// can delete all the data from the table xxx -if you used 'sa' the dude can create even databases.drop databases etc. -can be used for information gathering-if you hold the passwords not encrypted the passwords for the users may be used in other places like their email address..
these are the first ones get into my mind.. Sign:"There is no patch for human stupidity"
--------------------------------------------------------------------------- Earn your MS in Information Security ONLINEOrganizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- about SQL injection Seung Hyun Cho (Apr 04)
- Re: about SQL injection Steven DeFord (Apr 05)
- RE: about SQL injection choongseng (Apr 05)
- Re: about SQL injection Kevin Carlson (Apr 05)
- Re: about SQL injection David MacDonald (Apr 05)
- Re: about SQL injection Mert Eren ÜSTÜNKAYA (Apr 06)
- <Possible follow-ups>
- Re: about SQL injection Jeffrey (Apr 05)