Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
From: ct7 () UNICORNSREST ORG (W. Craig Trader)
Date: Wed, 9 Feb 2000 12:17:01 -0500


"Smith, Eric V." wrote:

Not true, at least for the case of MS Sql Server 7.  The following
statement:

insert into customer (name, primary_contact)
values ('a', '4')

succeeds where primary_contact is of type int (I also tried numeric just to
be sure).  I write code like this all of the time when I know the column
names but not their types.

Did you actually try this yourself before posting?  What results did you
observe?

I don't have a copy of SQL Server lying around, but I can speak to
several other RDBMSes (Oracle 7 & 8, MS Access, MySQL, Informix, and other
lesser products) as well as the SQL 89 and SQL 92 standards.  In standard
SQL, you must not use quotes around non-string constants.  Numeric
constrants must be unquoted, Date/Time constants must use the Date/Time
delimiter (# for MS Access, other characters for other products).

Have you ever used anything besides Microsoft RDBMSes?  Microsoft is
not well known for their ability to adhere to industry standards.

- Craig -


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault