|

Content Management

»

House of Fusion

»

Cold Fusion - SQL

Re: sql injection

View: New views

4 Messages — Rating Filter: Alert me

	Re: sql injection by George Gallen-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I just tried to run this using SQLPlus, and received back: SQL> select @@servername, 2 system_user, 3 db_name() 4 ; select @@servername, ERROR at line 1: ORA-00936: missing expression I very new to Oracle/SQL, and have the Oracle 10g home edition running on a XP machine, if that matters. Just curious as why it didn't return the expected information. Thanks GG >Nick, > >They're trying to get at the credentials of your server, you can run the >query yourself in a query window like so: > >select @@servername, > system_user, > db_name() > >you'll notice is spits back the server name, system username and the >database name. > >Rob > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/sql/message.cfm/messageid:3189 Subscription: http://www.houseoffusion.com/groups/sql/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.6
	Re: sql injection by James Holmes-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message That's an MSSQL script, not an Oracle one. mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/2/11 George Gallen <g_gallen@...>: > > I just tried to run this using SQLPlus, and received back: > > SQL> select @@servername, > 2 system_user, > 3 db_name() > 4 ; > select @@servername, > > ERROR at line 1: > ORA-00936: missing expression > > I very new to Oracle/SQL, and have the Oracle 10g home edition > running on a XP machine, if that matters. Just curious as why > it didn't return the expected information. > > Thanks > GG > > >>Nick, >> >>They're trying to get at the credentials of your server, you can run the >>query yourself in a query window like so: >> >>select @@servername, >> system_user, >> db_name() >> >>you'll notice is spits back the server name, system username and the >>database name. >> >>Rob >> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/sql/message.cfm/messageid:3190 Subscription: http://www.houseoffusion.com/groups/sql/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.6
	RE: sql injection by George Gallen-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Answers that one. MSSQL uses @ for variable definitions Like the SQLPlus & substitution and variable definition? GG -----Original Message----- From: James Holmes [mailto:james.holmes@...] Sent: Tuesday, February 10, 2009 9:34 PM To: sql Subject: Re: sql injection That's an MSSQL script, not an Oracle one. mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/2/11 George Gallen <g_gallen@...>: > > I just tried to run this using SQLPlus, and received back: > > SQL> select @@servername, > 2 system_user, > 3 db_name() > 4 ; > select @@servername, > * > ERROR at line 1: > ORA-00936: missing expression > > I very new to Oracle/SQL, and have the Oracle 10g home edition > running on a XP machine, if that matters. Just curious as why > it didn't return the expected information. > > Thanks > GG > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/sql/message.cfm/messageid:3191 Subscription: http://www.houseoffusion.com/groups/sql/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.6
	Re: sql injection by James Holmes-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Soemthing like that, yes. mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/2/11 George Gallen <g_gallen@...>: > > Answers that one. MSSQL uses @ for variable definitions > Like the SQLPlus & substitution and variable definition? > > GG > > -----Original Message----- > From: James Holmes [mailto:james.holmes@...] > Sent: Tuesday, February 10, 2009 9:34 PM > To: sql > Subject: Re: sql injection > > > That's an MSSQL script, not an Oracle one. > > mxAjax / CFAjax docs and other useful articles: > http://www.bifrost.com.au/blog/ > > > > 2009/2/11 George Gallen <g_gallen@...>: >> >> I just tried to run this using SQLPlus, and received back: >> >> SQL> select @@servername, >> 2 system_user, >> 3 db_name() >> 4 ; >> select @@servername, >> * >> ERROR at line 1: >> ORA-00936: missing expression >> >> I very new to Oracle/SQL, and have the Oracle 10g home edition >> running on a XP machine, if that matters. Just curious as why >> it didn't return the expected information. >> >> Thanks >> GG >> >> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/sql/message.cfm/messageid:3192 Subscription: http://www.houseoffusion.com/groups/sql/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.6