Penetration Testing: sql injection with order by

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

sql injection with order by

From: dietf dietf <dietf () yahoo com>
Date: 8 Apr 2005 03:52:02 -0000



Hi all,
I am trying to make an injection with the statement below,

SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND CusID='%Customer%' ORDER BY Sira, ProjeTurID"

in the statement above I inject ")select @@version-- for the variable Customer. But unless I have ended inject code 
with -- nothing happens.
I get
SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND FirmaID=")select @@version-- ORDER BY Sira, ProjeTurID"
what is the problem? can anybody tell me?
Is the problem occurs from the word ORDER BY?
Thanks

By Date By Thread

Current thread:

sql injection with order by dietf dietf (Apr 08)
- RE: sql injection with order by Ernest Nelson (Apr 10)
- Re: sql injection with order by Chitresh Sen (Apr 11)