[13791] in bugtraq
Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
daemon@ATHENA.MIT.EDU (W. Craig Trader)
Thu Feb 10 15:01:38 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38A1A10D.8AB0036D@unicornsrest.org>
Date: Wed, 9 Feb 2000 12:17:01 -0500
Reply-To: ct7@unicornsrest.org
From: "W. Craig Trader" <ct7@UNICORNSREST.ORG>
X-To: "Smith, Eric V." <EricSmith@WINDSOR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
"Smith, Eric V." wrote:
>
> Not true, at least for the case of MS Sql Server 7. The following
> statement:
>
> insert into customer (name, primary_contact)
> values ('a', '4')
>
> succeeds where primary_contact is of type int (I also tried numeric just to
> be sure). I write code like this all of the time when I know the column
> names but not their types.
>
> Did you actually try this yourself before posting? What results did you
> observe?
I don't have a copy of SQL Server lying around, but I can speak to
several other RDBMSes (Oracle 7 & 8, MS Access, MySQL, Informix, and other
lesser products) as well as the SQL 89 and SQL 92 standards. In standard
SQL, you must not use quotes around non-string constants. Numeric
constrants must be unquoted, Date/Time constants must use the Date/Time
delimiter (# for MS Access, other characters for other products).
Have you ever used anything besides Microsoft RDBMSes? Microsoft is
not well known for their ability to adhere to industry standards.
- Craig -
