Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Oct 2010
    Posts
    40
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Sql Injection test

    Hello CF
    I've been working on a site, that shows the classes of my school for a while now. The other day i found a SQL injection on the site. I get this after setting the var "id" to ( ''- ).
    __________________________
    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near '-'.

    /include/functions.asp, line 175
    ___________________________
    Now one of my friends told me to check and see if the vulnerability really is there. I do not know alot about Sql injection, neither my friend. So could anyone tell me how i should check for this. What should i type in to like see some of the colums? Or see the passwords i made on the database with the usernames. Its just a test server right now, so all the passwords is 1235 and 12343, and user names are test1 and so on. So could anyone tell me how i should inject the site, and see if the vul really is there?

    Best Regards,

    Napp

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,548
    Thanks
    77
    Thanked 4,382 Times in 4,347 Posts
    Just show me your code.

    I don't think that error message has anything to do with SQL Injection, per se.

    Oh, and by the by, this is in the wrong forum. It should be in the ASP forum, since protection against SQL Injection is server-type specific. DIfferent code for PHP vs. ASP, for example. And has little to do with the actual DB in use.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #3
    Banned
    Join Date
    Feb 2011
    Posts
    2,699
    Thanks
    13
    Thanked 395 Times in 395 Posts
    Quote Originally Posted by Napsteren View Post
    The other day i found a SQL injection on the site.
    ....
    I do not know alot about Sql injection, neither my friend. So could anyone tell me how i should check for this.
    Some examples of how hackers can use sql injection to attack your web site.

    You can use prepared statements or mysql_real_escape_string (if using php) as defences against sql injection.

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,548
    Thanks
    77
    Thanked 4,382 Times in 4,347 Posts
    /include/functions.asp, line 175
    mysql_real_escape_string won't work too well with ASP code.

    Another example of Bullant wanting to show off his skill at posting links instead of actually reading and answering the questions.
    Last edited by Old Pedant; 05-31-2011 at 09:22 PM.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #5
    Banned
    Join Date
    Feb 2011
    Posts
    2,699
    Thanks
    13
    Thanked 395 Times in 395 Posts
    Quote Originally Posted by Old Pedant View Post
    mysql_real_escape_string won't work too well with ASP code.
    Yes that is true but since forums like this are not a 1:1 conversation and anyone on the planet with access to the interweb can potentially read this thread there might be php users reading this thread that might not be aware of their options given the op's issues apply to php users as well.

    Hence that is why I posted
    ...... mysql_real_escape_string (if using php) .....
    Quote Originally Posted by Old Pedant View Post
    Another example of Bullant wanting to show off his skill at posting links ......
    I often post links to information, as do so many other posters, because it saves me time and a lot of typing. I'm not on anyone's payroll here so I, like everyone else volunteering replies, am under no obligation to spend a minimum amount of time on each post typing verbose replies.

    If you have an issue with people who post links to further information then maybe take it up with the moderators . If they agree with you, they can then remove the links. If they don't agree with you, then I guess the links will stay.

    In the mean time I will continue to post links to further information as I see fit wherever I feel it is appropriate with no consideration at all for what you think since you are no more a moderator than I am and I am no more accountable to you than you are to me
    Last edited by bullant; 06-01-2011 at 03:42 AM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •