WebApp Sec mailing list archives

Re: sql comment in access

From: John Bond <john.r.bond () gmail com>
Date: Mon, 23 Jan 2006 13:30:41 +0000

On 20/01/06, Robin Wood <dninja () gmail com> wrote:

Hi
I'm trying to get sql injection working against a access db. I've
tried the standard -- as a comment and I've also tried %0A and %0D


 I belive that comments arn't possible in access. can you chain two
commands together e.g.
?user=q'%20or%20'a'='a';select%20count(*)%20from%20login%20where%20username='a&pass=a
would produce
select * from login where username='q' or 'a'='a'; select count(*)
from login where username='a' and password='a';

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------

Current thread:

sql comment in access Robin Wood (Jan 20)
- Re: sql comment in access John Bond (Jan 23)
  - Message not available
    - Re: sql comment in access John Bond (Jan 23)
- <Possible follow-ups>
- sql comment in access Robin Wood (Jan 21)
  - Re: sql comment in access Chuck (Jan 22)
- RE: sql comment in access Mark Atherton (Jan 23)
  - Re: sql comment in access Robin Wood (Jan 23)