By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
445,771 Members | 1,685 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 445,771 IT Pros & Developers. It's quick & easy.

Error 500 - Internal Server Error

P: n/a
Hi,

I am trying to pass the following and it keeps giving the same error...

http://www.megamotza.com/cst_hsql.php?firstlogin=Y&abc=sysman&sql=select%20 *%20from%20sysuser%20where%20companies%20LIKE'%000 2%'%20AND%20usrflag%20='U'&tblname=curSysuser

....the problem is the LIKE '%0002%'. If I remove the %'s from each side
of the value, no error.

Anyone got any ideas

Regards
Doug Johnston
Aug 24 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
"Doug Johnston" wrote:
Hi,

I am trying to pass the following and it keeps giving the same error...

http://www.megamotza.com/cst_hsql.ph...l=select%20*%2
0from%20sysuser%20where%20companies%20LIKE'%0002%' %20AND%20usrflag%20='U'&tbln
ame=curSysuser

...the problem is the LIKE '%0002%'. If I remove the %'s from each side
of the value, no error.

Anyone got any ideas

Regards
Doug Johnston


You should have URLencoded the percent characters:

<http://www.megamotza.com/cst_hsql.ph...&sql=select%20
*%20from%20sysuser%20where%20companies%20LIKE'%350 002%35'%20AND%20usrflag%20
='U'&tblname=curSysuser>

But I have to say that running SQL requests directly from unvalidated HTTP
requests is really stupid and irresponsible. Publishing the URL of this
insecure database is really asking for trouble. Fix it now before someone
f**ks up your database.
--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/
Aug 24 '05 #2

P: n/a
*** Doug Johnston wrote/escribió (Wed, 24 Aug 2005 11:24:17 GMT):
http://www.megamotza.com/cst_hsql.php?firstlogin=Y&abc=sysman&sql=select%20 *%20from%20sysuser%20where%20companies%20LIKE'%000 2%'%20AND%20usrflag%20='U'&tblname=curSysuser

...the problem is the LIKE '%0002%'. If I remove the %'s from each side
of the value, no error.


Don't even solve it. If anyone can send custom queries to your database,
anyone can break your site. And they will.

Apart from that, there's only a small subset of chars that are valid in an
URL. You can get the appropriate conversion with rawurlencode(); decoding
is automatic.

--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--
Aug 24 '05 #3

P: n/a
Doug Johnston wrote:
Hi,

I am trying to pass the following and it keeps giving the same error...

http://www.megamotza.com/cst_hsql.php?firstlogin=Y&abc=sysman&sql=select%20 *%20from%20sysuser%20where%20companies%20LIKE'%000 2%'%20AND%20usrflag%20='U'&tblname=curSysuser
...the problem is the LIKE '%0002%'. If I remove the %'s from each side
of the value, no error.

Anyone got any ideas

Regards
Doug Johnston


Maybe pass it through urlencode() first?

Or, better yet - DON'T PASS THE SQL IN THE REQUEST!, i.e.

http://www.megamotza.com/cst_hsql.ph...ser.curSysuser

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Aug 24 '05 #4

P: n/a
Doug Johnston wrote:
...the problem is the LIKE '%0002%'.


The only position a percent sign can occur in is the first
character of a percent-encoding:

pct-encoded = "%" HEXDIG HEXDIG

To be taken as data it must itself be percent-encoded (%25).

--
Jock
Aug 24 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.