Programming Forums
User Name Password Register
 

RSS Feed
FORUM INDEX | TODAY'S POSTS | UNANSWERED THREADS | ADVANCED SEARCH

Reply
 
Thread Tools Display Modes
Old Oct 25th, 2006, 5:32 PM   #1
TCStyle
Programmer
 
Join Date: Jan 2005
Location: Albany, NY
Posts: 43
Rep Power: 0 TCStyle is on a distinguished road
SQL injection on an insert query.
Firstly, this is not going to be used maliciously. It is for test purposes on a BBS that I'm coding.

How would I go about injecting an insert query? I'll use a generic code:
(Toggle Plain Text) 
mysql_query("INSERT INTO data (fData, sData) VALUES('" + $fData + "', '" + $sData + "')");

Let's say the variables $fData and $sData come straight from my html forum without passing through any checks(no strip_tags() or get_magic_quotes_gpc() functions). Now, I know how to inject a select from query, but I don't know how I would inject this?

Any help is appreciated.
__________________
meh...
TCStyle is offline   Reply With Quote
Old Oct 25th, 2006, 6:22 PM   #2
DaWei
Resident Grouch
 
DaWei's Avatar
 
Join Date: Jun 2005
Posts: 6,453
Rep Power: 10 DaWei is on a distinguished road
This is borderline, regarding the forum's rules. There are a lot of places that discuss such things freely. One thing I wonder is why you wouldn't untaint or sanitize user's input? Then you would only have to test against robust code.
__________________
Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code.
Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers
DaWei is offline   Reply With Quote
Old Nov 5th, 2006, 7:14 PM   #3
jsilver608
Newbie
 
Join Date: Oct 2006
Posts: 20
Rep Power: 0 jsilver608 is on a distinguished road
You can test it out by putting in ' or " and direct sql statements to see if it affects your data.

You could just put in a ' in your input fields and if you get an error back like this (then you are vulnerable):

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax' at line X"
__________________
High Performance PHP
http://www.whenpenguinsattack.com
jsilver608 is offline   Reply With Quote
Reply

Bookmarks

« Previous Thread in Forum | Next Thread in Forum »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
C# VS 2005 - SQL Query Parameters to an ODBC DataSource jcrcarmo C# 3 Apr 10th, 2006 3:58 PM
Process injection jayme C++ 3 Jan 28th, 2006 6:05 AM
Operation must use an updateable query.!!! paulchwd ASP 3 Aug 24th, 2005 10:36 PM
How to detect cursor location and insert text??? syntax-error C# 3 Jun 30th, 2005 1:42 AM


Contact Us - DaniWeb IT Discussion Community - Privacy Statement - Top


DaniWeb IT Discussion Community
All times are GMT -5. The time now is 7:42 AM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC