...

View Full Version : SQl Injection through ASP and MS SQl 2000



phantom007
10-27-2007, 07:39 AM
Hello,


I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?

Can someone explain plz?



Thanx

SouthwaterDave
10-27-2007, 10:33 AM
They don't initially. They use SQL injection to get a list of tables using something like
select * from sys.tablesThis works for SQL Server 2005 but they woul try other variants for SQL Server 2000 or MySQL.

Or they just guess. Table names like Products or Users are often used.

If the web site administrator has got the security settings wrong then it may even be possible to see the ASP source too.

BarrMan
10-27-2007, 03:08 PM
The SQL injection basically says that the user manages to write database commands to your database. This can be done using a search input in your form or any other input that is being executed by the server.

There's a way to prevent SQL injection and it's to convert the threatning characters to their html coded value. ie:

Function strFormat(str)
str = Replace(str,"'","'"
strFormat = str
End Function



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum