[13787] in bugtraq
Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
daemon@ATHENA.MIT.EDU (Smith, Eric V.)
Wed Feb 9 12:32:31 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Message-Id: <61475A6027E9D111BB25006008C3D3950CD2AF@eastnor.windsor.com>
Date: Wed, 9 Feb 2000 06:35:46 -0500
Reply-To: "Smith, Eric V." <EricSmith@WINDSOR.COM>
From: "Smith, Eric V." <EricSmith@WINDSOR.COM>
X-To: Jeremy Whittington <jwhitt@INSIDERMARKETING.COM>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Not true, at least for the case of MS Sql Server 7. The following
statement:
insert into customer (name, primary_contact)
values ('a', '4')
succeeds where primary_contact is of type int (I also tried numeric just to
be sure). I write code like this all of the time when I know the column
names but not their types.
Did you actually try this yourself before posting? What results did you
observe?
Eric.
> -----Original Message-----
> From: Jeremy Whittington [mailto:jwhitt@INSIDERMARKETING.COM]
> Sent: Tuesday, February 08, 2000 10:52 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads
> advisory)
>
>
> Hello,
>
> I would like to make a comment on your statment about SQL
> Syntax and how you
> deal with numeric values.
>
> > If you're stating that you cannot enclose your numeric
> values in single
> > quotes in SQL query strings, it seems to be incorrect. I'm
> also using SQL as
> > my backend, and I've ALWAYS enclosed numbers in single
> quotes, and it has
> > always worked.
>
> When inserting data into a Numeric datatype you do not use
> single quotes around
> the values.
>
> If Field2 was a Numeric datatype in this example it would
> Fail on MS SQL Server
> 6.5, 7.0 , MS Access 97/2k, Oracle 6i+, and Dbase.
> INSERT INTO Table (Field1, Field2) Vaules('String','1')
>
