Re: SQL injection question

From: .Saphyr (saphyr@infomaniak.ch)
Date: Thu Jan 22 2004 - 03:07:12 EST

• Next message: Rafael Núñez: "hardware vs. john the ripper"
• Previous message: vruy@chez.com: "last release 1.5 of my free NetBiosSpy"
• In reply to: John: "SQL injection question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

: i tried to use %20, \20 etc.. but it don't seems to
: work

If your target is a mssql server, if you need spaces into your string
requests you can still use the SPACE function:

SELECT * FROM users WHERE username = 'John'+SPACE(2)+'McLane'

What do you precisely need spaces for ?

Did you try simply using the '+' sign ?

.merlin

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Rafael Núñez: "hardware vs. john the ripper"
• Previous message: vruy@chez.com: "last release 1.5 of my free NetBiosSpy"
• In reply to: John: "SQL injection question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT