Login or Sign Up to become a member!
LessThanDot Sit Logo

LessThanDot

Data Management

Less Than Dot is a community of passionate IT professionals and enthusiasts dedicated to sharing technical knowledge, experience, and assistance. Inside you will find reference materials, interesting technical discussions, and expert tips and commentary. Once you register for an account you will have immediate access to the forums and all past articles and commentaries.

LTD Social Sitings

Lessthandot twitter Lessthandot Linkedin Lessthandot friendfeed Lessthandot facebook Lessthandot rss

Note: Watch for social icons on posts by your favorite authors to follow their postings on these and other social sites.

Your profile

    Tools

    Tag cloud

    azure book business intelligence ctp database dates denali dmv functions gotcha high availability how to howto indexing mirroring performance sql sql friday sql server sql server 2000 sql server 2005 sql server 2008 sql server 2008 r2 sql server 2012 sql server denali sql server integration services ssis t-sql tip trick

    Authors

    Main Categories

    Search

    XML Feeds

    More on RSS

    Google Ads

    « Chicago SQL Connections - Reporting Services 201 Slides & CodeHow to find what column caused the String or binary data would be truncated message »
    2
    comments

    SQL Injection Pocket Reference for MySQL, SQL Server and Oracle

    by SQLDenis on Jul 29, 2011 in categories Data Modelling & Design, Database Programming, Microsoft SQL Server Admin, MySQL Admin, Oracle Admin, Microsoft SQL Server, Oracle, MySQL
    Instapaper

    There is a nice SQL Injection Pocket Reference up on Google Docs

    Here is what is covered

    MySQL
    Default Databases
    Comment Out Query
    Testing Injection
    Strings
    Numeric
    In a login
    Testing Version
    MySQL-specific code
    Database Credentials
    Database Names
    Tables & Columns
    Finding out number of columns
    Retrieving Tables
    Retrieving Columns
    PROCEDURE ANALYSE()
    Retrieving Multiple Tables/Columns at once
    Find Tables from Column Name
    Find Column From Table Name
    Avoiding the use of single/double quotations
    String concatenation
    Privileges
    FILE privilege
    MySQL 4/5
    MySQL 5
    Out Of Band Channeling
    Timing
    DNS (requires FILE privilege)
    SMB (requires FILE privilege)
    Reading Files (requires FILE privilege)
    Writing Files (requires FILE privilege)
    Stacked Queries with PDO
    User Defined Functions
    Fuzzing and Obfuscation
    Allowed Intermediary Characters
    Allowed Intermediary Characters after AND/OR
    Operators
    Constants
    MySQL Functions()
    MySQL Password Hashing
    MySQL Password() Cracker

    MSSQL
    Default Databases
    Comment Out Query
    Testing Version
    Database Credentials
    Database Server Hostname
    Database Names
    Tables & Columns
    Retrieving Tables
    Retrieving Columns
    Retrieving Multiple Tables/Columns at once
    OPENROWSET Attacks
    System Command Execution
    SP_PASSWORD (Hiding Query)
    Stacked Queries
    Fuzzing and Obfuscation
    Encodings
    Allowed Intermediary Characters
    Allowed Intermediary Characters after AND/OR
    MSSQL Password Hashing
    MSSQL Password Cracker

    ORACLE
    Default Databases
    Comment Out Query
    Testing Version
    Database Credentials
    Database Names
    Current Database
    User Databases
    Tables & Columns
    Retrieving Tables
    Retrieving Columns
    Finding Tables from Column Name
    Finding Column From Table Name
    Fuzzing and Obfuscation
    Avoiding the use of single/double quotations
    Out Of Band Channeling
    Time Delay
    Heavy Query Time delays

    You can find it here: SQL Injection Pocket Reference

    About the Author

    User bio imageDenis has been working with SQL Server since version 6.5. Although he worked as an ASP/JSP/ColdFusion developer before the dot com bust, he has been working exclusively as a database developer/architect since 2002. In addition to English, Denis is also fluent in Croatian and Dutch, but he can curse in many other languages and dialects (just ask the SQL optimizer) He lives in Princeton, NJ with his wife and three kids.
    Social SitingsTwitterFacebookLinkedInHomePageFlickrLTD RSS Feed
    927 views
    Read More Posts by SQLDenis
    Instapaper

    2 comments

    Comment from: David Forck (thirster42) [Member]
    doesn't seem to want to work for me. i click the links but i keep getting blank pages
    07/29/11 @ 10:02
    Comment from: SQLDenis [Member] Email
    SQLDenis Works for me..what browser are you using...maybe you need to be signed into Google for it to work
    07/29/11 @ 10:18

    Leave a comment


    Your email address will not be revealed on this site.

    Your URL will be displayed.
    (Line breaks become <br />)
    (Name, email & website)
    (Allow users to contact you through a message form (your email will not be revealed.)

    Powered by B2Evolution
    Valid XHTML | Valid CSS