SQL injections

Discussion in 'MySQL' started by ludwig, Dec 28, 2007.

0
  1. #1
    Hi guys,

    Just a short question. Is it posssible to SQL inject a website that gives the following error
    Microsoft OLE DB Provider for SQL Server error '80040e07' 

Syntax error converting the varchar value 'undefined' to a column of data type int. 

/testtesttest.asp, line 38
    HTML:
    thanks in advance
     
    ludwig, Dec 28, 2007 IP
  2. HuggyStudios

    HuggyStudios Well-Known Member

    Messages:
    724
    Likes Received:
    20
    Best Answers:
    26
    Trophy Points:
    165
    #2
    Depends what protection they have.

    Try something like, 

    
DROP TABLE `name`;
    Code (markup):
    If that throws a error like cannot find that table then yes you could easily run a sql injection. To prevent that from happening you need to make sure you escape characters and quotes.
     
    HuggyStudios, Dec 29, 2007 IP
  3. ludwig

    ludwig Notable Member

    Messages:
    2,253
    Likes Received:
    66
    Best Answers:
    0
    Trophy Points:
    225
    #3
    i tried and I still get this error
     
    ludwig, Jan 3, 2008 IP
  4. alemcherry

    alemcherry Guest

    Best Answers:
    0
    #4
    That kind of error message will give out the table names etc. on some other context. You will have to validate all user inputs.
     
    alemcherry, Jan 8, 2008 IP