Home page logo

pen-test logo Penetration Testing mailing list archives

any sql injection bypass on filters?
From: Jacky Jack <jacksonsmth698 () gmail com>
Date: Thu, 23 Sep 2010 04:35:43 +0800


I'm currently on a php web application page which issues an error
message when submitting invalid value for "sort" parameter.
But the application  accepts only a-zA-Z for this parameter. I've
tried to bypass it by char(), hex().
If I change its parameter value to a value other than "ASC", "DESC",
the application issues a generic sql error starting with "You have an
error in your SQL syntax".

So, in this situation, can the application still be assumed as
vulnerable to sql injection?

Thank you.

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]