Hi,
I am trying to pass the following and it keeps giving the same error...
http://www.megamotza.c om/cst_hsql.php?fi rstlogin=Y&abc= sysman&sql=sele ct%20*%20from%2 0sysuser%20wher e%20companies%2 0LIKE'%0002%'%2 0AND%20usrflag% 20='U'&tblname= curSysuser
....the problem is the LIKE '%0002%'. If I remove the %'s from each side
of the value, no error.
Anyone got any ideas
Regards
Doug Johnston 4 1806
"Doug Johnston" wrote: Hi,
I am trying to pass the following and it keeps giving the same error...
http://www.megamotza.com/cst_hsql.ph...l=select%20*%2 0from%20sysuser %20where%20comp anies%20LIKE'%0 002%'%20AND%20u srflag%20='U'&t bln ame=curSysuser
...the problem is the LIKE '%0002%'. If I remove the %'s from each side of the value, no error.
Anyone got any ideas
Regards Doug Johnston
You should have URLencoded the percent characters:
< http://www.megamotza.com/cst_hsql.ph...&sql=select%20
*%20from%20sysu ser%20where%20c ompanies%20LIKE '%350002%35'%20 AND%20usrflag%2 0
='U'&tblname=cu rSysuser>
But I have to say that running SQL requests directly from unvalidated HTTP
requests is really stupid and irresponsible. Publishing the URL of this
insecure database is really asking for trouble. Fix it now before someone
f**ks up your database.
--
phil [dot] ronan @ virgin [dot] net http://vzone.virgin.net/phil.ronan/
*** Doug Johnston wrote/escribió (Wed, 24 Aug 2005 11:24:17 GMT): http://www.megamotza.c om/cst_hsql.php?fi rstlogin=Y&abc= sysman&sql=sele ct%20*%20from%2 0sysuser%20wher e%20companies%2 0LIKE'%0002%'%2 0AND%20usrflag% 20='U'&tblname= curSysuser
...the problem is the LIKE '%0002%'. If I remove the %'s from each side of the value, no error.
Don't even solve it. If anyone can send custom queries to your database,
anyone can break your site. And they will.
Apart from that, there's only a small subset of chars that are valid in an
URL. You can get the appropriate conversion with rawurlencode(); decoding
is automatic.
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--
Doug Johnston wrote: Hi,
I am trying to pass the following and it keeps giving the same error...
http://www.megamotza.c om/cst_hsql.php?fi rstlogin=Y&abc= sysman&sql=sele ct%20*%20from%2 0sysuser%20wher e%20companies%2 0LIKE'%0002%'%2 0AND%20usrflag% 20='U'&tblname= curSysuser
...the problem is the LIKE '%0002%'. If I remove the %'s from each side of the value, no error.
Anyone got any ideas
Regards Doug Johnston
Maybe pass it through urlencode() first?
Or, better yet - DON'T PASS THE SQL IN THE REQUEST!, i.e. http://www.megamotza.com/cst_hsql.ph...ser.curSysuser
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Doug Johnston wrote: ...the problem is the LIKE '%0002%'.
The only position a percent sign can occur in is the first
character of a percent-encoding:
pct-encoded = "%" HEXDIG HEXDIG
To be taken as data it must itself be percent-encoded (%25).
--
Jock This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: John F Dutcher |
last post by:
Can anyone comment on why the code shown in the Python error is in
some way incorrect...or is there a problem with Python on my hoster's
site ??
The highlites don't seem to show here...but line #80 and line # 38 are
the first line offenders.
--> --> -->
|
by: Ben |
last post by:
hi
when I try to excecute an ASP (either JS or VB) script to
say, access a database record, I get an Internal Server
Error HTTP 500.100
Why? and HOW CAN I FIX THIS?
Thanks
|
by: Patrick Masson |
last post by:
Hello,
Our configuration :
Apache 2.0.53
PHP 5.0.4
PC Windows 2000
MATLAB 6.1
We work on a consulting project in France which involves MATLAB Web server,
|
by: xixi |
last post by:
we are using db2 udb v8.1 on win 64 bit with fp3 with type 4 db2jcc.jar driver.
such error generated , please help me understand this , thanks
2004-01-12-14.09.02.400000 Instance:DB2 Node:000
PID:1788(db2syscs.exe) TID:980 Appid:none
DRDA Application Server sqljsCleanup Probe:60
DIA0001E An internal error occurred. Report the following error code :
"ZRC=0xFFFFFBF6".
|
by: Rod |
last post by:
I have been working with ASP.NET 1.1 for quite a while now. For some
reason, opening some ASP.NET applications we wrote is producing the
following error message:
"The Web server reported the following error when attempting to create or
open the Web project located at the following URL:
'http://localhost/WebApplication1'. 'HTTP/1.1 500 Internal Server Error'."
| |
by: jf li |
last post by:
I have a Asp.net web application and a Asp.net Web service application. The
Web application is using HtmlInputFile to get a 50M size of file selected by
end user, read the data of this file and pass the data to the web service. I
already modified both web.config files and changed maxRequestLength to
60000(kb). When I debug the upload process, it seems the Web application can
get the 50M file and read the data without problem, but when the...
|
by: Lieven |
last post by:
Hey,
I had a hard disc problem last week on my server. I replaced the disc and
copied al the files to the new hard disc, everything works fine again except
some php scripts that are using the mail() function. When executing these
scripts I get this error:
"500 Internal Server Error
The server encountered an internal error or misconfiguration and was unable
to complete your request.
|
by: Mike |
last post by:
Hi
I have problem as folow:
Caught Exception: System.Configuration.ConfigurationErrorsException:
An error occurred loading a configuration file: Request for the
permission of type 'System.Security.Permissions.FileIOPermission,
mscorlib, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089' failed. (machine.config) --->
System.Security.SecurityException: Request for the permission of type
|
by: kuguy |
last post by:
Hi all,
I'm new to the forums, so I hope this isn't in the wrong place...
I have that "Software caused connection abort: socket write error" exception error that i've never meet before.
Basically what im trying to do is the following:
- a client connect to a server using sslsocket.
- server receive the connection and reply with the first part of the data and keep the connection open.
- then client receive the reply and request for...
|
by: guillaume.braux |
last post by:
Hello,
I am running WS2008 + IIS7 + FASTCGI + ZendCore.
I have not modified the default ZendCore php.ini configuration file.
Actualy, any kind of PHP error, warning or notice gives me immediately
a IIS 500 Error (Internal Server Error).
It is a good thing in production environnement.
For debuging purposes, I want temporary to be able to see PHP warnings
and errors embedded on the html page.
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |