Announcement

Collapse
No announcement yet.

SQL injection possibility...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SQL injection possibility...

    I have a program that I am testing to make sure that it's fairly strong and the person who wrote the program tried to disable the keyboard, accept for the numbers, so that a SSN could be entered. However, if I go to a text file and write out some code, it's possible to cut and paste it into the field.
    it gives me an error like:

    ERROR [42000][Sybase][ODBC Driver]Syntax error or access violation

    My question is, does this error show that an SQL injection might be possible in this type of program and if so, how could it be strengthened against one?

    Also, this program will create an account in a database when you enter the information in the fields...if it is possible to cut and paste malicious code into the field, is it possible for someone to have the accounts that are already in the database come up in front of them to view?

  • #2
    Originally posted by romulus
    However, if I go to a text file and write out some code, it's possible to cut and paste it into the field.
    it gives me an error like:

    ERROR [42000][Sybase][ODBC Driver]Syntax error or access violation

    My question is, does this error show that an SQL injection might be possible in this type of program and if so, how could it be strengthened against one?
    This error shows there's a syntax error at some point in your SQL. You'll need to be a bit more detailed for a real answer. Assuming that it's expecting numerical data, and you're inserting alphanumeric data, that would qualify as a SQL syntax error. From there, one could most likely attack the server the same way you would attack a MS SQL Server, due to their shared roots.

    You should look at the NGS Papers on Error Based SQL Injection (http://www.nextgenss.com/papers.htm) for more info.
    a pc-0x90 by any other name is a nummish..
    Bigger 1:23

    Comment


    • #3
      thanks for the link.

      I'll check it out to see if I can learn a little bit more about the process so I can give it a stress test. :)

      Comment


      • #4
        Originally posted by pc-0x90

        You should look at the NGS Papers on Error Based SQL Injection (http://www.nextgenss.com/papers.htm) for more info.
        More good info here.
        (Spi Dynamics did a very good presentation on SQL Injection at either DC 9 or 10.. I can't remember)
        Happiness is a belt-fed weapon.

        Comment

        Working...
        X