|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: SQL Injection Basics
Date: Mon Feb 10 2003 - 17:30:57 EST
SQL Injection works only when
- SELECT * FROM foo WHERE foobar = $var
- SELECT * FROM foo WHERE foobar = '$var'
In number 1, if the variable is not checked for the type of integer people
can submit for example
/urlstring/index.cfm?var=1; AND NASTY CODE HERE
In number 2, if the variable is not checked for tick marks, and does not
escape any that are found
/urlstring/index.cfm?var=blah' AND NASTY CODE HERE --
In ColdFusion ALL ticks submitted are escaped, I'm sure more languages out
there do that.
Anyway, what I am after is the backdoor, the Unicode equivalent... Anyone?
I got this %25%32%37 from Davy, which makes sense but still does not work
with ColdFusion
The following is the result
SELECT category FROM mytable
WHERE (category = '%27')
I am trying to find all possible ways for SQL Insertion so I can protect
myself against it.
Like I said I already convert any charters like ' () < > to its HTML
equivalent, but I beleive there is a way to get around this with Unicode,
but not sure...
- Original Message ----- From: "Nick Jacobsen" <nick@ethicsdesign.com> To: <dhurst@spidynamics.com>; <webappsec@securityfocus.com> Sent: Tuesday, February 11, 2003 7:37 AM Subject: Re: SQL Injection Basics
> Right, I wasn't thinking too well... makes sense. Though, according to
used
> SQL injection on some code where the developer used NO tick marks, but
Received on Mon Feb 10 17:35:59 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |