WebApp Sec mailing list archives
RE: SQL injection with sql 2000 sp3
From: "Vinny Bedus" <vbedus () bitchangers com>
Date: Wed, 1 Oct 2003 12:58:58 -0400
You are going to want to make sure the user you are executing the query as has sufficient permissions. You can try the same query from SQL Query Analyzer. We have not noticed any problems with our customers since the install. You are also going to want to check what version of the MDAC you are using. Could you possibly be using an older version that might have some problems with the Service Pack? Vinny Bedus Bit Changers http://www.bitchangers.com -----Original Message----- From: dsan [mailto:dsan () dev ugc-labs co uk] Sent: Wednesday, October 01, 2003 12:03 PM To: webappsec () securityfocus com Subject: SQL injection with sql 2000 sp3 hey all, I'm struggling with a test on a app that uses sql2k with sp3. im able to do execute SELECT statements with no problem, yet when i try with anything else i get syntax error messages (even though they seem to be valid statements) when trying the traditional @@version i get, Microsoft OLE DB Provider for ODBC Drivers error '80040e14' <snip> Incorrect syntax near '@@version@ Has sp3 changed all the rights for the default user to only allow SELECT queries, or are there options you can do to remove all these options from the DB? Appreciate any help on this
Current thread:
- SQL injection with sql 2000 sp3 dsan (Oct 01)
- RE: SQL injection with sql 2000 sp3 Vinny Bedus (Oct 01)