Re: SQL injection from within a table - is it possible?

[Kevin Conaway <kevin.conaway () gmail com>]

Peter,

When you select a value out of a database, it wont rewrite the query
with the contents of the value you are selecting.

Kevin


On 7 Jan 2005 00:59:44 -0000, Peter Bair <peterbair100 () hotmail com> wrote:
> Is it possible to store an SQL injection string into a MSSQL database table, so when the database performs an action 
> like through a stored proc, the SQL injection attack takes place?
>
> Not through the normal means of SQL injection via a web base means, but if you have the means of storing the data 
> into the table directly.
>
> Example:
>
> An application has a users name in a table.  Is it possible to assign the users name as the SQL injection string, 
> something like
>
>    name from table; exec master.xp_cmdshell "ping me"; --
>
> so when the database is running a stored procedure with a  select clause like
>
>    select name from table
>
> it really is becomes
>
> select name from table; exec master.xp_cmdshell "ping me" ;-- from table
>
> Of course using the SQL query analyzer on the database table, all this works ok.
>
> But when I insert the SQL injection string into the table, as the name, and then query the table nothing happens.
>
> Is it possible or have I missed the point here?
>
> Thanks Peter.