RE: yet another injection question

["David Cameron" <dcameron () itis-now com>]

The error is very simple. You are inserting a NULL into a column that does not allow a NULL. Whether you filled in a 
HTML field in some form is barely relevant. This has also has nothing to do with sql injection or web app security, 
except that by displaying this error you are providing information about your database.

I'm guessing we are talking ASP here from the fact that you are running SQL7, however this also applies to php.

<simplification>
Inserting data in web apps generally happens in the following form. Fill in HTML form and submit. The HTML form submits 
to a page that reads the POSTed data (Request, Request.Form in ASP, $_POST php). From this data either a SQL statement 
is generated (INSERT INTO tbl (<columns>) VALUES (<values>)) and executed, or a stored procedure is executed with a 
command object.
</simplification>

With that in mind the error is going to come from one of two sources:
1. forgetting to set a value in the INSERT statement (hence defaulting to NULL), ie not enough columns in the VALUES ().
2. explicitly setting a value to NULL.

Judging from the question I'd suggest 1. is more likely. That means that either in your proc or your generated SQL 
statement you have missed a column. That is you have not correctly mapped the fields from the HTML form to the columns 
of your database.

This question is more suited to an asp (or php) mailing list, not a web application security list. I'd suggest looking 
into some of the lists that are out there. 
http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=asp+mailing+list

regards
David Cameron
nOw.b2b
dcameron () itis-now com 

> -----Original Message-----
> From: ronen [mailto:ronen () avnet co il]
> Sent: Wednesday, 16 April 2003 3:22 AM
> To: 'Jacob Hurley'; 'web-app-sec list'
> Subject: RE: yet another injection question
>
>
> Thanks Jacob.
>
> However, It seems that I didn’t explained myself correctly. Thousand
> apologies.
>
> The request that creates the user has a 'FOO' field already, 
> and I made
> sure that this field will have an explicit value.
>
> This was done using the credentials of an existing an privileged user
> (the account was accessed with good old injection techniques).
>
> Thanks again for the help and the quick response.
>
> Ronen.
>
> -----Original Message-----
> From: Jacob Hurley [mailto:jacobh () aos5 com] 
> Sent: Tuesday, April 15, 2003 5:02 PM
> To: ronen; web-app-sec list
> Subject: RE: yet another injection question
>
>
>
>
> the problem is with your sql query to insert into the database, it's
> telling you that FOO can't be NULL.. so append to you INSERT / VALUE
> statement a value for FOO
>
> looks like the hard part is over, if it was hard  :p
>
>
> Jacob Hurley
>
>
>
>
> -----Original Message-----
> From: ronen [mailto:ronen () avnet co il]
> Sent: Tuesday, April 15, 2003 2:49 AM
> To: web-app-sec list
> Subject: yet another injection question
>
>
> Hello all,
>
>
>
> While pen testing a web application, and bypassing the authentication
> using a basic injection, I've tried to add a user to the database
> through a built-in form.
>
>
>
> However, when sending the URL, I received the follows:
>
>
>
> [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value
> NULL into column 'FOO', table 'BAR'; column does not allow 
> nulls. INSERT
> fails.
>
>
>
>
>
> The request URL has a field named 'FOO', and I explicitly inserted a
> value to that field.
>
>
>
> I was logged in with a privileged user (seems to have the highest
> privileges available ).
>
>
>
> Any idea what's the reason for the mentioned ODBC error.
>
>
>
> BTW, the system is a 'Microsoft SQL Server 7.00 - 7.00.1063' 
> running on
> Windows NT 5.0 (Build 2195: Service Pack 3).
>
>
>
> Thanking you all in advance.
>
>
>
> Ronen