Home page logo
/

pen-test logo Penetration Testing mailing list archives

any sql injection bypass on filters?
From: Jacky Jack <jacksonsmth698 () gmail com>
Date: Thu, 23 Sep 2010 04:35:43 +0800

Hi

I'm currently on a php web application page which issues an error
message when submitting invalid value for "sort" parameter.
But the application  accepts only a-zA-Z for this parameter. I've
tried to bypass it by char(), hex().
If I change its parameter value to a value other than "ASC", "DESC",
the application issues a generic sql error starting with "You have an
error in your SQL syntax".

So, in this situation, can the application still be assumed as
vulnerable to sql injection?

Thank you.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault