Announcement

Collapse
No announcement yet.

SQL injection possibility...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Gadsden
    replied
    Originally posted by pc-0x90

    You should look at the NGS Papers on Error Based SQL Injection (http://www.nextgenss.com/papers.htm) for more info.
    More good info here.
    (Spi Dynamics did a very good presentation on SQL Injection at either DC 9 or 10.. I can't remember)

    Leave a comment:


  • romulus
    replied
    thanks for the link.

    I'll check it out to see if I can learn a little bit more about the process so I can give it a stress test. :)

    Leave a comment:


  • pc-0x90
    replied
    Originally posted by romulus
    However, if I go to a text file and write out some code, it's possible to cut and paste it into the field.
    it gives me an error like:

    ERROR [42000][Sybase][ODBC Driver]Syntax error or access violation

    My question is, does this error show that an SQL injection might be possible in this type of program and if so, how could it be strengthened against one?
    This error shows there's a syntax error at some point in your SQL. You'll need to be a bit more detailed for a real answer. Assuming that it's expecting numerical data, and you're inserting alphanumeric data, that would qualify as a SQL syntax error. From there, one could most likely attack the server the same way you would attack a MS SQL Server, due to their shared roots.

    You should look at the NGS Papers on Error Based SQL Injection (http://www.nextgenss.com/papers.htm) for more info.

    Leave a comment:


  • romulus
    started a topic SQL injection possibility...

    SQL injection possibility...

    I have a program that I am testing to make sure that it's fairly strong and the person who wrote the program tried to disable the keyboard, accept for the numbers, so that a SSN could be entered. However, if I go to a text file and write out some code, it's possible to cut and paste it into the field.
    it gives me an error like:

    ERROR [42000][Sybase][ODBC Driver]Syntax error or access violation

    My question is, does this error show that an SQL injection might be possible in this type of program and if so, how could it be strengthened against one?

    Also, this program will create an account in a database when you enter the information in the fields...if it is possible to cut and paste malicious code into the field, is it possible for someone to have the accounts that are already in the database come up in front of them to view?
Working...
X