sql injection question

["Richard Stevens" <richard () tccnet co uk>]

Quick question for the list, if I may,

We have a third party application that we are piloting for using as web store front end.

I have no idea on programming sql at all, but have read of some of the sql injection techniques on this list.

In the search box on the app, by inserting  ' followed by a space, the following message is generated:

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ' insert into @promtable select 
a.ItemCode, a.SysNumber, a.TechDescription, a.InvoiceDescription, a.Classification, a.ProductGrou'.
/eshop/search.asp, line 265


Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 

Page:
GET /eshop/search.asp?SessionId=PR10006210200315411635Q3TLJ310ELW679PQ7Y&QuickSearch=%27+ 

Time:
Wednesday, October 15, 2003, 4:45:30 PM 




Also, the password for SA is stored in clear text in the site in a text config file. This would not strike me as being 
sensible.

These are both ringing alarm bells !

> From this info, would you assume it would be easy for someone skilled in sql injection to get unauthorised access to 
> the database?.. or is it not that simple?

The input seems to be filtered correctly on the logon.asp, as entering these characters has no apparent effect.

TIA

Richard

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html