Sql injection?

Forum Moderators: open

Message Too Old, No Replies

Sql injection?

stevelibby

8:30 am on Dec 1, 2007 (gmt 0)

Hi
In my stats yesterday i noticed the following statement in a query string:
make=Land%20Rover'%20%20And%20(select%20Top%201%20char(94)%2Bcast(B.xtype%20as%20varchar(80))%2Bchar(94)%20from%20[DB_name]..[sysobjects]%20A@[DB_name]..[syscolumns]%20B%20where%20A.id=B.id%20and%20A.name='DB_table_name'%20and%20B.name='InDate')>0%20And%20''='

whats happening, and is this something to be concerned with? I am tempted to create a line at the start of pages where if query string contains a particular word or charactor then send em of somewhere.

mrMister

12:40 pm on Dec 1, 2007 (gmt 0)

whats happening

Yes, it looks like they tried some kind of SQL injection. They were just doing a SELECT query, so they wern't trying to damage your data. They might have been hunting for more information in order to prepare an actual attack. Or maybe they were frustrated that your search interface wasn't powerful enough and were using their technical knowledge to achieve that.

is this something to be concerned with?

Only if you've failed to sanitise your data properly. Why don't you load up the URI they accessed in your own web browser to see what happens?

I am tempted to create a line at the start of pages where if query string contains a particular word or charactor then send em of somewhere.

What a waste of time! If you are sanatising your input data correctly then there is nothing to worry about.

mrMister

12:54 pm on Dec 1, 2007 (gmt 0)

Is this your car advice site? If so, I just had a look and it doesn't seem to me like you're sanitising the data properly. Sticky me if you want more advice.

Sql injection?

stevelibby

mrMister

mrMister

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week