a question about sql injection

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

a question about sql injection

Post by _-- RAZOR --_ on Wed Jul 09, 2008 4:44 pm
([msg=7009]see a question about sql injection[/msg])

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/iaulahij/public_html/administrator/default.php on line 11

Warning: Cannot modify header information - headers already sent by (output started at /home/iaulahij/public_html/administrator/default.php:11) in /home/iaulahij/public_html/administrator/default.php on line 28

is this website vulnerable?
would you help me understanding this sql errors?
_-- RAZOR --_
New User
New User
 
Posts: 5
Joined: Mon Apr 14, 2008 3:11 am
Blog: View Blog (0)


Re: a question about sql injection

Post by thedotmaster on Thu Jul 10, 2008 1:38 pm
([msg=7090]see Re: a question about sql injection[/msg])

Perhaps, perhaps not.
If you had forced that error, then yeah it might be.
But if you went on that webpage and it came up with that, then no (although it may be vulnerable anyway).
e.g.
say the url is: http://www.website.com/blah/code.php?file=hello
and you typed in: http://www.website.com/blah/code.php?file=`or 1=1--
and it came up with an error, then you'd know it was vulnerable (or might be vulnerable) because it is taking your input and not filtering the SQL out of it.
By the way, typing ` or 1=1-- will never h4x0r a webpage, it's just a good way of trying to force an error.
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests