Sql Injection test

Napsteren · 05-30-2011, 09:55 PM

Hello CF
I've been working on a site, that shows the classes of my school for a while now. The other day i found a SQL injection on the site. I get this after setting the var "id" to ( ''- ).
__________________________
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near '-'.

/include/functions.asp, line 175
___________________________
Now one of my friends told me to check and see if the vulnerability really is there. I do not know alot about Sql injection, neither my friend. So could anyone tell me how i should check for this. What should i type in to like see some of the colums? Or see the passwords i made on the database with the usernames. Its just a test server right now, so all the passwords is 1235 and 12343, and user names are test1 and so on. So could anyone tell me how i should inject the site, and see if the vul really is there?

Best Regards,

Napp

Old Pedant · 05-30-2011, 11:58 PM

Just show me your code.

I don't think that error message has anything to do with SQL Injection, per se.

Oh, and by the by, this is in the wrong forum. It should be in the ASP forum, since protection against SQL Injection is server-type specific. DIfferent code for PHP vs. ASP, for example. And has little to do with the actual DB in use.

bullant · 05-31-2011, 12:16 AM

Quote:

Originally Posted by Napsteren

The other day i found a SQL injection on the site.
....
I do not know alot about Sql injection, neither my friend. So could anyone tell me how i should check for this.

Some examples of how hackers can use sql injection to attack your web site.

You can use prepared statements or mysql_real_escape_string (if using php) as defences against sql injection.

Old Pedant · 05-31-2011, 09:17 PM

Quote:

/include/functions.asp, line 175

mysql_real_escape_string won't work too well with ASP code.

Another example of Bullant wanting to show off his skill at posting links instead of actually reading and answering the questions.

bullant · 06-01-2011, 12:47 AM

Quote:

Originally Posted by Old Pedant

mysql_real_escape_string won't work too well with ASP code.

Yes that is true but since forums like this are not a 1:1 conversation and anyone on the planet with access to the interweb can potentially read this thread there might be php users reading this thread that might not be aware of their options given the op's issues apply to php users as well.

Hence that is why I posted

Quote:

...... mysql_real_escape_string (if using php) .....

Quote:

Originally Posted by Old Pedant

Another example of Bullant wanting to show off his skill at posting links ......

I often post links to information, as do so many other posters, because it saves me time and a lot of typing. I'm not on anyone's payroll here so I, like everyone else volunteering replies, am under no obligation to spend a minimum amount of time on each post typing verbose replies.

If you have an issue with people who post links to further information then maybe take it up with the moderators

. If they agree with you, they can then remove the links. If they don't agree with you, then I guess the links will stay.

In the mean time I will continue to post links to further information as I see fit wherever I feel it is appropriate with no consideration at all for what you think since you are no more a moderator than I am and I am no more accountable to you than you are to me