Actually, it is not escaped, if it was the error would never occur.
What you are seeing is the opening single quote from the query, the
single quote passed by the user, the closing single quote from the
query and a final single quote from the error message. ;-)
-dhs
Dean H. Saxe, CEH
dean@fullfrontalnerdity.com
"What difference does it make to the dead, the orphans, and the
homeless, whether the mad destruction is wrought under the name of
totalitarianism or the holy name of liberty and democracy? "
--Gandhi
On Nov 28, 2005, at 8:11 AM, Rich Bergmann wrote:
The application is apparently "escaping" (doubling-up) quotes in the
password field. This is good practice, although a better (best?)
practice
would be to parameterize the query.
AFAIK, SQL injection on this form will be difficult, if not
impossible.
-----Original Message-----
From: Jason binger [mailto:cisspstudy@yahoo.com]
Sent: Sunday, November 27, 2005 7:50 PM
To: webappsec@securityfocus.com
Subject: Simple to exploit SQL Injection ?
I am reviewing a .Net web application. When entering
xyz for a username and ' for a password into a form I
receive the following stack trace (extract):
System.Exception: Can't Load DataReader using SQL
string: 'SELECT * FROM users WHERE username = 'xyz'
AND password = '''' -- Unclosed quotation mark before
the character string '''. Line 1: Incorrect syntax
near '''.
Now I would have thought this would be easy to
exploit, but I can't bypass the logon page. xyz is a
valid username. Any ideas?
Cheers
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
