WebApp Sec mailing list archives

sql comment in access

From: Robin Wood <dninja () gmail com>
Date: Fri, 20 Jan 2006 19:42:26 +0000

Hi
I'm trying to get sql injection working against a access db. I've
tried the standard -- as a comment and I've also tried %0A and %0D
with no luck. Can anyone suggest any other ways to comment out the
rest of the statement?

Example:
select * from login where username='inject here' and password='inject
here as well'

In MSSQL I would replace inject here with:

' or 1=1 --

what can I do in access?

Robin

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------

Current thread:

sql comment in access Robin Wood (Jan 20)
- Re: sql comment in access John Bond (Jan 23)
  - Message not available
    - Re: sql comment in access John Bond (Jan 23)
- <Possible follow-ups>
- sql comment in access Robin Wood (Jan 21)
  - Re: sql comment in access Chuck (Jan 22)
- RE: sql comment in access Mark Atherton (Jan 23)
  - Re: sql comment in access Robin Wood (Jan 23)