WebApp Sec mailing list archives
Strange beaviour in sql injection
From: "Securityinfos" <admin () securityinfos com>
Date: Tue, 29 Oct 2002 10:32:15 +0100
Conducting a pentest on a web application i discovered something strange..
the web application corretcly replaces single quote (') with double quote
('')
correctly checked if the value isnumeric
but inserting in the query url a value with , the application show error
for example:
http://www.webapplication.com/show.asp?id=1,1
show the error
So, can we desume that the previous dogmas for securing a web application
replacing quotes and checking if a value is numeric are not enough?
I'd like to know also what Kevin Spett thinks..
thanks..
Antonio Stano
Securityinfos
http://www.securityinfos.com
Current thread:
- Strange beaviour in sql injection Securityinfos (Oct 29)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)
- Re: Strange beaviour in sql injection Mariusz Pekala (Nov 30)
- Re: Strange beaviour in sql injection Kevin Spett (Oct 29)
- <Possible follow-ups>
- RE: Strange beaviour in sql injection Brass, Phil (ISS Atlanta) (Oct 30)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)