WebApp Sec: Strange beaviour in sql injection

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Strange beaviour in sql injection

From: "Securityinfos" <admin () securityinfos com>
Date: Tue, 29 Oct 2002 10:32:15 +0100

 Conducting a pentest on a web application i discovered something strange..
 the web application corretcly replaces single quote (') with double quote
 ('')
 correctly checked if the value isnumeric
 but inserting in the query url a value with , the application show error
 
 for example:
 
 http://www.webapplication.com/show.asp?id=1,1
 
 show the error
 
 So, can we desume that the previous dogmas for securing a web application
 replacing quotes and checking if a value is numeric are not enough?
 
 I'd like to know also what Kevin Spett thinks..
 
 thanks..
 
 Antonio Stano
 Securityinfos
 http://www.securityinfos.com

By Date By Thread

Current thread:

Strange beaviour in sql injection Securityinfos (Oct 29)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)
  - Re: Strange beaviour in sql injection Mariusz Pekala (Nov 30)
- Re: Strange beaviour in sql injection Kevin Spett (Oct 29)
- <Possible follow-ups>
- RE: Strange beaviour in sql injection Brass, Phil (ISS Atlanta) (Oct 30)