Penetration Testing mailing list archives

Re: Quite basic SQL injection question

From: danuxx () gmail com
Date: Tue, 19 Apr 2011 13:56:24 +0000

Did you try with # instead? Make sure to encode it: %23
Sent via BlackBerry from Danux Network

-----Original Message-----
From: Alexandre De Dommelin <adedommelin () tuxz net>
Sender: listbounce () securityfocus com
Date: Mon, 18 Apr 2011 09:51:46 
To: <pen-test () securityfocus com>
Subject: Quite basic SQL injection question

Hi all,

I'm evaluating PHP/Mysql code and I found a problem, in the following code :
<?php
$query="
SELECT *
FROM table1 m JOIN table2 t
$condition
ORDER BY m.field1, t.field2
";
$db->query($query);
?>

I'm able to inject everything I want into $condition, but I can't manage to
make the ORDER clause to be ignored (using -- /* ...), which leads to an sql
error.
I'm sure it's quite stupid but I have to admit that i'm stucked ...

Do you have an idea ?

Bests,

Alex

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Quite basic SQL injection question Alexandre De Dommelin (Apr 19)
- Re: Quite basic SQL injection question arvind doraiswamy (Apr 22)
- Re: Quite basic SQL injection question Justin Klein Keane (Apr 22)
- Re: Quite basic SQL injection question danuxx (Apr 22)