WebApp Sec mailing list archives

Re: ORACLE SQL Injection Question

From: "Kenneth Duran" <KDURAN () pn usbr gov>
Date: Tue, 04 Nov 2003 11:08:18 -0700

I asked my D.B.A. and his suggestion is to break down the command into a
series of one line commands instead of using the commas.

Kenneth M. Duran, CISSP
PN Network Security Manager
kduran () pn usbr gov
(208)-378-5146

Mike Rauch <michaelraouch () yahoo com> 11/03/03 07:57AM >>>

Hello,
I'm performing an assesment on one of our web
applications (black box type) and I came acrooss two
interesting error messages from an Oracle DB when I
supply a 'SELECT statement. The messages are:
 a)  ORA-00933 SQL Command not properly ended
 b)  ORA-00917 Missing comma

I tried various formats to form an SQL statment that
can be parsed but no success.

Does anyone can shed any light as to what I may be
able to try?

Thanks !

Mike 

__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

Attachment: Kenneth Duran.vcf
Description:

Current thread:

ORACLE SQL Injection Question Mike Rauch (Nov 03)
- Re: ORACLE SQL Injection Question Cesar (Nov 04)
- <Possible follow-ups>
- Re: ORACLE SQL Injection Question Kenneth Duran (Nov 04)
- RE: ORACLE SQL Injection Question Pitts, Christopher C. (Nov 04)