Results 1 to 5 of 5

Thread: sql question??

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    2

    sql question??

    when I check my site sql injection, I received a mesage:
    error:[Microsoft][ODBCSQLServerDriver] [SQLServer]line1 incorrect syntax near '`'.
    what can I do now? I want to hack my site to protect it in the future
    thanks

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    219
    as far as i can figure out from your statement...
    there is some syntax error in the code where you have written SQL code..
    Now is the moment, or NEVER!!!

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    227

    Post

    Very good article about sql injection can be foud here.

    And what should you do to protect your pages: IMHO it is very important to supress the error messeges produced by your database. Or change it with something that will inform the user about an error but don't tell him where exactly this error is. Other thing is to filter all unwanted chars that can be input by the user. In php you cen use addslashes etc...
    http://promote.opera.com/small/opera94x15.gif

    [gloworange]Sun7dots[/gloworange]

  4. #4
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    You don't need to know more about sql injection....you need to know more about proper input validation so you can fix your site. You need to look up the characters you should be stripping out of your inputs to prevent this style of attack, you might also look at where your sql lives, what it does, and does it really need to do it that way.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by sun7dots
    Other thing is to filter all unwanted chars that can be input by the user.
    You need to look up the characters you should be stripping out of your inputs to prevent this style of attack,{...}
    This is actually the wrong way to do it as people tend to forget things or overlook stuff (the infamous "too many slashes syndrome" ).

    You need to filter on the characters you want and drop everything else.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •