WebApp Sec mailing list archives
Forced invalid SQL errors
From: "Steven M. Christey" <coley () mitre org>
Date: Sat, 10 Dec 2005 14:51:28 -0500 (EST)
All, I am noticing a significant number of diagnosis errors by beginner researchers who try to exploit SQL injection holes using simple manipulations such as: victim.php?action=create¶m='[SQL] The researcher causes the script to generate an error but doesn't dig any deeper, labeling it "SQL injection". In some number of cases - I can't guess at a percentage - it's clear that they're just causing invalid SQL to be generated, and there's no real ability to modify an SQL statement. This often seems to happen when the wrong type of data is provided, e.g. when the ' gets inserted as a value in a field that is expected to be numeric. I think of this as SQL "modification" and insufficient data cleansing at worst, not SQL injection. A term "forced invalid SQL" comes to mind, but I was wondering what terminology others use, if any, and if there are other examples besides using a non-numeric value in a numeric field. - Steve
Current thread:
- Forced invalid SQL errors Steven M. Christey (Dec 10)