|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: SQL Injection Basics
Date: Mon Feb 10 2003 - 11:59:10 EST
Nick,
Good question, but SQL Injection is absolutely an issue in VBScript (ASP pages). Here's the deal, the ' only acts as a comment if it's in the source code, not when it's in a variable. So...
If you have code that looks like this:
Dim sSql, rs, oConnection
'..... Setup the connection......
sSql = "Select * from myCustomers where FirstName = '" & Request("txtFirstName") & "'"
Set rs = oConnection.Execute(sSql)
'.....do something with the returned data.....
And a user puts a ' in the text box called txtFirstName you end up with something that acts like this:
Dim sSql, rs, oConnection
'..... Setup the connection......
sSql = "Select * from myCustomers where FirstName = '''"
Set rs = oConnection.Execute(sSql)
'.....do something with the returned data.....
Have a great day,
Dennis Hurst
dhurst@spidynamics.com
SPI Labs
-----Original Message-----
From: Nick Jacobsen [mailto:nick@ethicsdesign.com]
Sent: Monday, February 10, 2003 6:07 AM
To: Loki; raul.johhut@hushmail.com
Cc: webappsec@securityfocus.com
Subject: Re: SQL Injection Basics
Hmm... just a gues here, but if a developer is using VBScript as the
scripting language, would SQL injection be impossible, since in VBScript
the
" ' " mark is a comment mark, and therefore never used in SQL
statements?
Nick J
nick@ethicsdesign.com
- Original Message ----- From: "Loki" <loki@fatelabs.com> To: <raul.johhut@hushmail.com> Cc: <webappsec@securityfocus.com> Sent: Saturday, February 08, 2003 9:16 PM Subject: Re: SQL Injection Basics
> Raul:
"sdfsd",
> its escaping an SQL query with a single tick (') that the developer
> doesn't escape (or in the case of PHP, GLOBALS is turned on in the
> php.ini).
>
> SQL injection is simply altering the SQL query sent to the SQL server
> and executing an a malicious query instead of what was expected by the
> developer. Depending on the remote server (Oracle, Microsoft SQL,
MySQL,
> PostgreSQL), these statements will only differ based on their stored
injection
> by just entering a single tick (') in the form submission field,
hitting
> submit, and looking for any errors such as ODBC, etc.
injection.
> >
> > The app creates an ODBC error. Is this a garuntee of SQL Injection ?
> >
> > If I use www.victim/test.asp?userid=sfdsd
> >
> > the error is "inncorrect syntax near line 28 of test.asp" (or thats
the
English translation equiv in my case).
> >
> > I know the database is called master, and has a table test. What is
the
syntax I should use ?
> >
> > What are the best freeware and open source tools for testing SQL
injection ? I tried WPosion which was OK.
> >
> > I also tried WebSleuth (which seems to have gone from GPL to closed
source commercial btw). Am I right is saying that the SQL plugin has to
connect directly to the database to work ? I can only see port 80 so
don't
think this will work ?
> >
> > Thanks, Raul.
> >
> >
> >
> > Concerned about your privacy? Follow this link to get
> > FREE encrypted email: https://www.hushmail.com/?l=2
> >
> > Big $$$ to be made with the HushMail Affiliate Program:
> > https://www.hushmail.com/about.php?subloc=affiliate&l=427
> --
> Loki <loki@fatelabs.com>
Received on Mon Feb 10 12:04:20 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |