10-27-2007, 08:39 AM
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
Can someone explain plz?
10-27-2007, 11:33 AM
They don't initially. They use SQL injection to get a list of tables using something like select * from sys.tablesThis works for SQL Server 2005 but they woul try other variants for SQL Server 2000 or MySQL.
Or they just guess. Table names like Products or Users are often used.
If the web site administrator has got the security settings wrong then it may even be possible to see the ASP source too.
10-27-2007, 04:08 PM
The SQL injection basically says that the user manages to write database commands to your database. This can be done using a search input in your form or any other input that is being executed by the server.
There's a way to prevent SQL injection and it's to convert the threatning characters to their html coded value. ie:
str = Replace(str,"'","'"
strFormat = str