Site Server Commerce - SQL Injection

This is Interesting: Free IT Magazines  
Home > Archive > Site Server Commerce > April 2004 > SQL Injection





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author SQL Injection
AndrewSteffek

2004-04-07, 11:18 am

need opinion on this.

i have a application through IIS/commerce server (integrated with a Great Plains
backend with sql server 2000).

Great Plains ecommerce 7.5
MS commerce server 2002
MS IIS 5.0


the web app uses forms which take data fields and converts it into sql
queries.

if i place a single quote into any form field and submit the data i get Sql
Exception Error. if i use ' having 1=1 --- as data in any form field i get a SQL exception error which indicates column names.

it's my understanding that this means i can use Sql injection. is this true
??

thanks,
andrew

Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com