You are here: sql injection? « All PHP « IT news, forums, messages
sql injection?

Posted by pantagruel on 12/21/05 11:03

Hi, I'm worried that one of our online applications is exposed to a
possible SQL injection attack. I don't have the code for the
application as it is developed by a third party but the request:

my.php?x='1+1'

returns the error

Database error: Invalid SQL: SELECT x_id, x_type FROM object WHERE
x_serial = ''1 1''
MySQL Error: 1064 (You have an error in your SQL syntax. Check the
manual that corresponds to your MySQL server version for the right
syntax to use near '1 1''' at line 1)
Session halted.


Now looking at that it seems not to be open to an SQL injection because
the x querystring parameter was cleansed before being passed to
x_serial, at least that is my interpretation.

does this seem reasonable? Other than that I am of course somewhat
annoyed at the application spitting out sql code in its error report.

Is there anything I should try to pass as a parameter that will tell me
for sure if it is allowing SQL injection. The database, which I found
out from another error code on another page, is MySql.

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация