Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
10-27-2007, 08:39 AM #1
- Join Date
- Jun 2006
- Thanked 3 Times in 3 Posts
SQl Injection through ASP and MS SQl 2000
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
Can someone explain plz?
10-27-2007, 11:33 AM #2
- Join Date
- May 2007
- Thanked 18 Times in 18 Posts
They don't initially. They use SQL injection to get a list of tables using something likeThis works for SQL Server 2005 but they woul try other variants for SQL Server 2000 or MySQL.Code:select * from sys.tables
Or they just guess. Table names like Products or Users are often used.
If the web site administrator has got the security settings wrong then it may even be possible to see the ASP source too.
10-27-2007, 04:08 PM #3
The SQL injection basically says that the user manages to write database commands to your database. This can be done using a search input in your form or any other input that is being executed by the server.
There's a way to prevent SQL injection and it's to convert the threatning characters to their html coded value. ie:
Code:Function strFormat(str) str = Replace(str,"'","'" strFormat = str End Function