Penetration Testing mailing list archives
Re: [PEN-TEST] Hacking SQL queries ...
From: Philip Wagenaar <pb.wagenaar () CHELLO NL>
Date: Thu, 8 Feb 2001 01:34:25 +0100
Be sure to put an input filter on %input%. If somebody enters a string containing ' it will crash the query. -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Aurobindo Sundaram (+1 512 918 1390) Sent: woensdag 7 februari 2001 21:08 To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Hacking SQL queries ... I have to audit a bit of code that does the following SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name where input is the user-input. When I try the input 'test, the code generated is SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name Since I'm an SQL newbie, I'd be curious to know how someone could supply the appropriate input to do bad things on the SQL server - either in R/O or R/W mode If there are SQL hacking pages someplace, a link would be appreciated Thanks, Robin
Current thread:
- Re: [PEN-TEST] Expand right under Win2K Gary Flynn (Feb 06)
- Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Feb 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Expand right under Win2K Reinder Wiersma (Feb 07)
- [PEN-TEST] Hacking SQL queries ... Aurobindo Sundaram (+1 512 918 1390) (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Nicolas GREGOIRE (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Florian Specker (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Philip Wagenaar (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 10)
- [PEN-TEST] Hacking SQL queries ... Aurobindo Sundaram (+1 512 918 1390) (Feb 07)