WebApp Sec mailing list archives

RE: SQL Injection Basics

From: "Forrest Lee Andrews" <lee.andrews () cox net>
Date: Mon, 10 Feb 2003 10:47:47 -0600

The "'" mark is in fact used in SQL Statements when using VB\VBScript:

Dim sql as string
sql = "select * from foo where bar = 'baz'"

-----Original Message-----
From: Nick Jacobsen [mailto:nick () ethicsdesign com]
Sent: Monday, February 10, 2003 5:07 AM
To: Loki; raul.johhut () hushmail com
Cc: webappsec () securityfocus com
Subject: Re: SQL Injection Basics

Hmm...  just a gues here, but if a developer is using VBScript as the
scripting language, would SQL injection be impossible, since in VBScript the
" ' " mark is a comment mark, and therefore never used in SQL statements?

Nick J
nick () ethicsdesign com

Current thread:

SQL Injection Basics raul . johhut (Feb 08)
- Re: SQL Injection Basics Loki (Feb 09)
  - Re: SQL Injection Basics Nick Jacobsen (Feb 10)
    - RE: SQL Injection Basics Forrest Lee Andrews (Feb 10)
    - RE: SQL Injection Basics Dennis Hurst (Feb 10)
    - Re: SQL Injection Basics Nick Jacobsen (Feb 10)
    - Re: SQL Injection Basics Dave Aitel (Feb 10)
    - RE: SQL Injection Basics Dennis Hurst (Feb 10)
    - Re: SQL Injection Basics Taco Fleur (Feb 10)
    - RE: SQL Injection Basics Robert Nilsen (Feb 10)
    - Re: SQL Injection Basics Dirk Gomez (Feb 10)
    - RE: SQL Injection Basics Keith Smith (Feb 10)
    - Re: SQL Injection Basics Kevin Spett (Feb 10)
    - Re: SQL Injection Basics Dejan Bosanac (Feb 11)

(Thread continues...)