Penetration Testing mailing list archives
[PEN-TEST] Hacking SQL queries ...
From: "Aurobindo Sundaram (+1 512 918 1390)" <sundaram () AUSTIN APC SLB COM>
Date: Wed, 7 Feb 2001 14:07:35 -0600
I have to audit a bit of code that does the following SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name where input is the user-input. When I try the input 'test, the code generated is SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name Since I'm an SQL newbie, I'd be curious to know how someone could supply the appropriate input to do bad things on the SQL server - either in R/O or R/W mode If there are SQL hacking pages someplace, a link would be appreciated Thanks, Robin
Current thread:
- Re: [PEN-TEST] Expand right under Win2K Gary Flynn (Feb 06)
- Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Feb 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Expand right under Win2K Reinder Wiersma (Feb 07)
- [PEN-TEST] Hacking SQL queries ... Aurobindo Sundaram (+1 512 918 1390) (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Nicolas GREGOIRE (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Florian Specker (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Philip Wagenaar (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 10)
- [PEN-TEST] Hacking SQL queries ... Aurobindo Sundaram (+1 512 918 1390) (Feb 07)