Penetration Testing mailing list archives

Re: SQL injection question

From: ".Saphyr" <saphyr () infomaniak ch>
Date: Thu, 22 Jan 2004 09:07:12 +0100

: i tried to use %20, \20 etc.. but it don't seems to
: work

If your target is a mssql server, if you need spaces into your string
requests you can still use the SPACE function: 

SELECT * FROM users WHERE username = 'John'+SPACE(2)+'McLane'

What do you precisely need spaces for ?

Did you try simply using the '+' sign ?

.merlin



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: SQL Injection question, (continued)
- - - Re: SQL Injection question Adam Tuliper (Jan 05)
  - Reverse Engineering thoughts n30 (Jan 07)
    - Re: Reverse Engineering thoughts Riad S. Wahby (Jan 07)
    - Re: Reverse Engineering thoughts johnny cyberpunk (Jan 07)
    - RE: Reverse Engineering thoughts Brett Moore (Jan 07)
    - Re: Reverse Engineering thoughts Adam Tuliper (Jan 07)
- RE: SQL Injection question Tibor Biro (Jan 05)
- RE: SQL Injection question Lachniet, Mark (Jan 05)
- RE: SQL Injection question Scovetta, Michael V (Jan 05)
- SQL injection question John (Jan 21)
  - Re: SQL injection question .Saphyr (Jan 22)