Woohoo! As long as I'm just looking for obvious text on the page then it didn't work.
Levi On 6/15/06, Michael O'Keefe <[EMAIL PROTECTED]> wrote:
> Does anyone know of a good straightforward page of "try this, then this" > for > testing for a sql injection flaw? > Preferably one that deals with an openBSD/MySQL, PHP backend? The easiest way is to put a ';drop database *;' in your input This will be translated into ... SELECT * FROM item_categories WHERE item_categories.item_category = '';drop database *;'' AND item.long_item_id = item_categories.long_item_id You're typical fault injector won't care that the last part is invalid SQL, so long as the drop database * gets done ! -- Michael O'Keefe | [EMAIL PROTECTED] Live on and Ride a 03 BMW F650GSDakar| [EMAIL PROTECTED] / | I like less more or less less than |Work:+1 858 845 3514 / | more. UNIX-live it,love it,fork() it |Fax :+1 858 845 2652 /_p_| My views are MINE ALONE, blah, blah, |Home:+1 760 788 1296 \`O'| blah, yackety yack - don't come back |Fax :+1 858 _/_\|_, -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
