CODEWITHSUNDEEP
sqlsql-servervisual-studio-2010
anders
anders

Reputation: 1545

SQL syntax error (SQL injection)

I am having a class in computer security and are having a little trouble with the syntax when doing a sql injection on a local machine that we are suppose to hack.

below is the syntax of the sql syntax.

SqlCommand sqlc = new SqlCommand("SELECT Record FROM Table_Users WHERE Username='" + username + "' AND Password='" + password + "'");

We are trying the following in the login (username) field and ' or '1'='1 in the password

;INSERT Table_Users (Username, Password) VALUES ('hejsan', 'glenn');

But am getting a syntax error "Incorrect syntax near 'hejsan'."

Can you see the syntax error? =)

Upvotes: 0

Views: 2694

Answers (3)

M.P.
M.P.

Reputation: 272

maybe something with the quotes?

var password = "';INSERT Table_Users (Username, Password) VALUES (''hejsan'', ''glenn''); select '";

Upvotes: 0

cypherabe
cypherabe

Reputation: 2603

try 

 ';INSERT Table_Users (Username, Password) VALUES ('hejsan', 'glenn');

-> you need to close the ' after Username=. In this case you don't even need a value for the password field.

You could put -- after your injected statement to cancel the rest of the select statement:

';INSERT Table_Users (Username, Password) VALUES ('hejsan', 'glenn');--

Upvotes: 0

gts
gts

Reputation: 627

My first take was to have INSERT INTO Table_Users instead of INSERT Table_Users but as the poster noted INTO is optional(in MSSQL in contrast to the standard ANSI SQL).

On second thought depending on what the data type your columns are the query could work by appending N in front of the values as per What is the meaning of the prefix N in T-SQL statements?

Upvotes: 4

Related Questions