Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 2 of 2

Thread: SQL Injection

  1. #1
    Member forwardtrends's Avatar
    Join Date
    Jan 2003
    Location
    Pittsburgh, PA USA
    Posts
    69
    Member #
    498
    Dont know if you've heard of this but its a vulnerability of SQL server...

    If you have a login page on your site, type in this line

    ' or 1=1--

    It should log you in as the first user in your table of users.

    The reason it works is because the apostrophe " ' " breaks the cycle of code (usually double-quotes) and starts its own.. imagine the possiblities of user the returned error messages to get the names, fields, and content of all the data on your database - or dropping the entire database all together right from your login screen!

    A good fix for this is limiting the characters you can insert into the login fields - do this with ASP because there are ways around javascript!

    If you have any questions let me know

    Aaron
    http://www.forwardtrends.com
    Aaron Elliott
    www.forwardtrends.com

  2.  

  3. #2
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    In PHP it's addslashes(). Anyway, where PHP is concerned, there's a much bigger problem with SQL injection: register_globals. Say you have a link like showresults.php?total=n and a query like: [minicode]SELECT * FROM sometable LIMIT $total[/minicode]. Somebody could edit the URL to use something other than a number and effectively put whatever they want in the query.
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 02:29 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com