-
December 23rd, 2004, 08:18 PM
#1
Junior Member
SQL injection help
Hi,
I'm testing an application writen in PHP to see if it is vulnerable to SQL injections. There is a GET query in which I put hi' to check if its vulnerable. What I get is an error:
"DB Error: Bad SQL Query: SELECT cat_id, cat_name, cat_parent_id, cat_hits, cat_order, auth_viewcat, auth_viewimage, auth_sendpostcard FROM 4images_categories WHERE cat_name LIKE '%hi'%' ORDER BY cat_order DESC ;
You have an error in your SQL syntax near '' ORDER BY cat_order DESC ' at line 3"
Now I'm not expert in mySQL, but then again I'm not bad either, but this is a pretty complex query for me. I notice that it encapsulates the query in '%....%', could this potentially be a problem?
I also noticed that whatever I put in, (even -- after the qeury, which would make it not execute the rest) doesnt work, could there be some independant function which checks the query?
Any ideas?
Thanks
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|