WebApp Sec mailing list archives
Strange beaviour in sql injection
From: "Securityinfos" <admin () securityinfos com>
Date: Tue, 29 Oct 2002 10:32:15 +0100
Conducting a pentest on a web application i discovered something strange.. the web application corretcly replaces single quote (') with double quote ('') correctly checked if the value isnumeric but inserting in the query url a value with , the application show error for example: http://www.webapplication.com/show.asp?id=1,1 show the error So, can we desume that the previous dogmas for securing a web application replacing quotes and checking if a value is numeric are not enough? I'd like to know also what Kevin Spett thinks.. thanks.. Antonio Stano Securityinfos http://www.securityinfos.com
Current thread:
- Strange beaviour in sql injection Securityinfos (Oct 29)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)
- Re: Strange beaviour in sql injection Mariusz Pekala (Nov 30)
- Re: Strange beaviour in sql injection Kevin Spett (Oct 29)
- <Possible follow-ups>
- RE: Strange beaviour in sql injection Brass, Phil (ISS Atlanta) (Oct 30)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)