Re: SQL Injection Basics

[Bart McKinnley <bartsimpson1997 () yahoo com>]

I ran across three presentations that deal with SQL
Injection.  They helped me out when I was testing a
few asp pages I created.

The first discusses the basics of how to test web
applications for SQL injection vulnerabilities. The
second goes into the specifics of how to manually
identify and test for SQL injection vulnerabilities.
And the third describes how to exploit SQL injection
to retrieve data from the database.

Found them @
http://www.issadvisor.com/viewtopic.php?t=123

On Sat, 2003-02-08 at 20:21, raul.johhut () hushmail com
wrote:
> I am pen testing a webapp and am having some
problems with SQL injection. 
> The app creates an ODBC error. Is this a garuntee of
SQL Injection ?
> If I use www.victim/test.asp?userid=sfdsd
>
> the error is "inncorrect syntax near line 28 of
test.asp" (or thats the English translation equiv in
my case).
> I know the database is called master, and has a
table test. What is the syntax I should use?
> What are the best freeware and open source tools for
testing SQL injection ? I tried WPosion which was OK.
> I also tried WebSleuth (which seems to have gone
from GPL to closed source commercial btw). Am I right
is saying that the SQL plugin has to connect directly
to the database to work? I can only see port 80 so
don't think this will work?
> Thanks, Raul.
>
>
>
> Concerned about your privacy? Follow this link to
get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Big $$$ to be made with the HushMail Affiliate
Program: 
> https://www.hushmail.com/about.php?subloc=affiliate&l=427

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com