Error 500 - Internal Server Error

Hi,

I am trying to pass the following and it keeps giving the same error...

http://www.megamotza.com/cst_hsql.php?firstlogin=Y&abc=sysman&sql=select%20 *%20from%20sysuser%20where%20companies%20LIKE'%000 2%'%20AND%20usrflag%20='U'&tblname=curSysuser

....the problem is the LIKE '%0002%'. If I remove the %'s from each side
of the value, no error.

Anyone got any ideas

Regards
Doug Johnston

re: Error 500 - Internal Server Error

"Doug Johnston" wrote:
[color=blue]
> Hi,
>
> I am trying to pass the following and it keeps giving the same error...
>
> http://www.megamotza.com/cst_hsql.ph...l=select%20*%2
> 0from%20sysuser%20where%20companies%20LIKE'%0002%' %20AND%20usrflag%20='U'&tbln
> ame=curSysuser
>
> ...the problem is the LIKE '%0002%'. If I remove the %'s from each side
> of the value, no error.
>
> Anyone got any ideas
>
> Regards
> Doug Johnston[/color]

You should have URLencoded the percent characters:

<http://www.megamotza.com/cst_hsql.ph...&sql=select%20
*%20from%20sysuser%20where%20companies%20LIKE'%350 002%35'%20AND%20usrflag%20
='U'&tblname=curSysuser>

But I have to say that running SQL requests directly from unvalidated HTTP
requests is really stupid and irresponsible. Publishing the URL of this
insecure database is really asking for trouble. Fix it now before someone
f**ks up your database.


--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

re: Error 500 - Internal Server Error

*** Doug Johnston wrote/escribió (Wed, 24 Aug 2005 11:24:17 GMT):[color=blue]
> http://www.megamotza.com/cst_hsql.php?firstlogin=Y&abc=sysman&sql=select%20 *%20from%20sysuser%20where%20companies%20LIKE'%000 2%'%20AND%20usrflag%20='U'&tblname=curSysuser
>
> ...the problem is the LIKE '%0002%'. If I remove the %'s from each side
> of the value, no error.[/color]

Don't even solve it. If anyone can send custom queries to your database,
anyone can break your site. And they will.

Apart from that, there's only a small subset of chars that are valid in an
URL. You can get the appropriate conversion with rawurlencode(); decoding
is automatic.



--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--

re: Error 500 - Internal Server Error

Doug Johnston wrote:[color=blue]
> Hi,
>
> I am trying to pass the following and it keeps giving the same error...
>
> http://www.megamotza.com/cst_hsql.php?firstlogin=Y&abc=sysman&sql=select%20 *%20from%20sysuser%20where%20companies%20LIKE'%000 2%'%20AND%20usrflag%20='U'&tblname=curSysuser
>
>
> ...the problem is the LIKE '%0002%'. If I remove the %'s from each side
> of the value, no error.
>
> Anyone got any ideas
>
> Regards
> Doug Johnston[/color]

Maybe pass it through urlencode() first?

Or, better yet - DON'T PASS THE SQL IN THE REQUEST!, i.e.

http://www.megamotza.com/cst_hsql.ph...ser.curSysuser

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

re: Error 500 - Internal Server Error

Doug Johnston wrote:
[color=blue]
> ...the problem is the LIKE '%0002%'.[/color]

The only position a percent sign can occur in is the first
character of a percent-encoding:

pct-encoded = "%" HEXDIG HEXDIG

To be taken as data it must itself be percent-encoded (%25).

--
Jock