Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts

    Question SQl Injection through ASP and MS SQl 2000

    Hello,


    I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?

    Can someone explain plz?



    Thanx

  • #2
    Regular Coder
    Join Date
    May 2007
    Location
    UK
    Posts
    180
    Thanks
    0
    Thanked 18 Times in 18 Posts
    They don't initially. They use SQL injection to get a list of tables using something like
    Code:
    select * from sys.tables
    This works for SQL Server 2005 but they woul try other variants for SQL Server 2000 or MySQL.

    Or they just guess. Table names like Products or Users are often used.

    If the web site administrator has got the security settings wrong then it may even be possible to see the ASP source too.

  • #3
    Senior Coder BarrMan's Avatar
    Join Date
    Feb 2005
    Location
    Israel.
    Posts
    1,644
    Thanks
    69
    Thanked 83 Times in 82 Posts
    The SQL injection basically says that the user manages to write database commands to your database. This can be done using a search input in your form or any other input that is being executed by the server.

    There's a way to prevent SQL injection and it's to convert the threatning characters to their html coded value. ie:
    Code:
    Function strFormat(str)
    str = Replace(str,"'","'"
    strFormat = str
    End Function


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •