Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)

[EricSmith () WINDSOR COM (Smith, Eric V.)]

Not true, at least for the case of MS Sql Server 7.  The following
statement:

insert into customer (name, primary_contact)
values ('a', '4')

succeeds where primary_contact is of type int (I also tried numeric just to
be sure).  I write code like this all of the time when I know the column
names but not their types.

Did you actually try this yourself before posting?  What results did you
observe?

Eric.

> -----Original Message-----
> From: Jeremy Whittington [mailto:jwhitt () INSIDERMARKETING COM]
> Sent: Tuesday, February 08, 2000 10:52 AM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads
> advisory)
>
>
> Hello,
>
> I would like to make a comment on your statment about SQL
> Syntax and how you
> deal with numeric values.
>
> >  If you're stating that you cannot enclose your numeric
> values in single
> >  quotes in SQL query strings, it seems to be incorrect. I'm
> also using SQL as
> >  my backend, and I've ALWAYS enclosed numbers in single
> quotes, and it has
> >  always worked.
>
> When inserting data into a Numeric datatype you do not use
> single quotes around
> the values.
>
> If Field2 was a Numeric datatype in this example it would
> Fail on MS SQL Server
> 6.5, 7.0 , MS Access 97/2k, Oracle 6i+, and Dbase.
> INSERT INTO Table (Field1, Field2) Vaules('String','1')