try http://www.nextgenss/papers/advanced_sql_injection.pdf
> -----Original Message----- > From: Ashley Woodbridge [SMTP:[EMAIL PROTECTED]] > Sent: 07 February 2002 05:44 > To: [EMAIL PROTECTED] > Subject: SQL injection with MySQL, PHP > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I am going over some in house code for my current employer. The code > is used on an internal website to manage SLA's and other network > device stats (Sort of a NMS). Anyway the site does not check user > input very well (Affected by CSS) and I noticed the following line of > code. > > $sql = "select designation from designation_desc where designation > =\"$designation\""; > > This code is in a function that gets called directly from a few web > pages without any input checking on the var $designation. I have > little experience with MYSQL and when i try to insert a " to break it > gets translated to a \" which of course does not allow for sql > injection. I would like to be able to show my boss a demo of what can > be done so that he will allocate time to get the website security > problem fixed (particularly because the database stores community > strings for routers and switches). > > If anyone can help it would be very greatful. > > Ashley Woodbridge. > Network Engineer > B.IT CCNP > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPGIT//lE2kyUK9QFEQIv7wCfTtLL0Ugtn97qggXdpClKZWlUV2wAoJyN > 0VRMqU/DATfAxgU9JgCW8/pF > =MBsx > -----END PGP SIGNATURE----- >
