Re: [PEN-TEST] stacking SQL requests

[Andrew Lawton <ALawton () INFOSYSINC COM>]

You can find M$ info on xp_sendmail at:

http://support.microsoft.com/support/SQL/Content/inprodhlp/_xp_sendmail.asp?
LN=EN-US&SD=gn&FR=0

Please note that  you have to have configured the SQLMail agent (install
Outlook, setup profile, etc) for any of this to even run. As far a quoted
statements, I'm under the presumption that you have to roll your own. Anyone
that doesn't do any syntax checking on the queries from this type of thing
is asking for it.

'drew

-----Original Message-----
From: Nicolas Gregoire [mailto:nicolas.gregoire () 7THZONE COM]
Sent: Wednesday, August 30, 2000 11:30 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] stacking SQL requests


Emmanuel Gadaix a écrit :

> That is, inputs such as: hisname' ; select sysdate from dual --
> will result in:
> ERROR at line 2:
> ORA-00911: invalid character
> Anybody on the list has been playing with this on Oracle? Other databases?

Do you use a interface between your web-form and your DB ?

For exemple, using Perl and the DBI.pm interface with the MySQL driver,
it is impossible to execute something like :

(select * from CLIENTS where nom="my_name" ; drop CLIENTS ) #)"

when your input is :

my_name" ; drop CLIENTS ) #

because the DBI perl module forbid the excution of more than one command
at the same time.

I don't know for other DB ...., sorry

(who know about a stored-procedure in MS SQL allowing to send results by
mail ?)