Hi,

I am trying to pass the following and it keeps giving the same error...

http://www.megamotza.com/cst_hsql.php?firstlogin=Y&abc=sysman&sql=select%20 *%20from%20sysuser%20where%20companies%20LIKE'%000 2%'%20AND%20usrflag%20='U'&tblname=curSysuser

....the problem is the LIKE '%0002%'. If I remove the %'s from each side
of the value, no error.

Anyone got any ideas

Regards
Doug Johnston

"Doug Johnston" wrote:
[color=blue]
> Hi,
>
> I am trying to pass the following and it keeps giving the same error...
>
> http://www.megamotza.com/cst_hsql.ph...l=select%20*%2
> 0from%20sysuser%20where%20companies%20LIKE'%0002%' %20AND%20usrflag%20='U'&tbln
> ame=curSysuser
>
> ...the problem is the LIKE '%0002%'. If I remove the %'s from each side
> of the value, no error.
>
> Anyone got any ideas
>
> Regards
> Doug Johnston[/color]

You should have URLencoded the percent characters:

<http://www.megamotza.com/cst_hsql.ph...&sql=select%20
*%20from%20sysuser%20where%20companies%20LIKE'%350 002%35'%20AND%20usrflag%20
='U'&tblname=curSysuser>

But I have to say that running SQL requests directly from unvalidated HTTP
requests is really stupid and irresponsible. Publishing the URL of this
insecure database is really asking for trouble. Fix it now before someone
f**ks up your database.


--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

*** Doug Johnston wrote/escribió (Wed, 24 Aug 2005 11:24:17 GMT):[color=blue]
> http://www.megamotza.com/cst_hsql.php?firstlogin=Y&abc=sysman&sql=select%20 *%20from%20sysuser%20where%20companies%20LIKE'%000 2%'%20AND%20usrflag%20='U'&tblname=curSysuser
>
> ...the problem is the LIKE '%0002%'. If I remove the %'s from each side
> of the value, no error.[/color]

Don't even solve it. If anyone can send custom queries to your database,
anyone can break your site. And they will.

Apart from that, there's only a small subset of chars that are valid in an
URL. You can get the appropriate conversion with rawurlencode(); decoding
is automatic.



--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--

Doug Johnston wrote:[color=blue]
> Hi,
>
> I am trying to pass the following and it keeps giving the same error...
>
> http://www.megamotza.com/cst_hsql.php?firstlogin=Y&abc=sysman&sql=select%20 *%20from%20sysuser%20where%20companies%20LIKE'%000 2%'%20AND%20usrflag%20='U'&tblname=curSysuser
>
>
> ...the problem is the LIKE '%0002%'. If I remove the %'s from each side
> of the value, no error.
>
> Anyone got any ideas
>
> Regards
> Doug Johnston[/color]

Maybe pass it through urlencode() first?

Or, better yet - DON'T PASS THE SQL IN THE REQUEST!, i.e.

http://www.megamotza.com/cst_hsql.ph...ser.curSysuser

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Doug Johnston wrote:
[color=blue]
> ...the problem is the LIKE '%0002%'.[/color]

The only position a percent sign can occur in is the first
character of a percent-encoding:

pct-encoded = "%" HEXDIG HEXDIG

To be taken as data it must itself be percent-encoded (%25).

--
Jock