Error 500 - Internal Server Error

Re: Error 500 - Internal Server Error

"Doug Johnston" wrote:
[color=blue]
> Hi,
>
> I am trying to pass the following and it keeps giving the same error...
>
> http://www.megamotza.com/cst_hsql.ph...l=select%20*%2
> 0from%20sysuser %20where%20comp anies%20LIKE'%0 002%'%20AND%20u srflag%20='U'&t bln
> ame=curSysuser
>
> ...the problem is the LIKE '%0002%'. If I remove the %'s from each side
> of the value, no error.
>
> Anyone got any ideas
>
> Regards
> Doug Johnston[/color]

You should have URLencoded the percent characters:

<http://www.megamotza.com/cst_hsql.ph...&sql=select%20
*%20from%20sysu ser%20where%20c ompanies%20LIKE '%350002%35'%20 AND%20usrflag%2 0
='U'&tblname=cu rSysuser>

But I have to say that running SQL requests directly from unvalidated HTTP
requests is really stupid and irresponsible. Publishing the URL of this
insecure database is really asking for trouble. Fix it now before someone
f**ks up your database.


--
phil [dot] ronan @ virgin [dot] net

Re: Error 500 - Internal Server Error

*** Doug Johnston wrote/escribió (Wed, 24 Aug 2005 11:24:17 GMT):[color=blue]
> http://www.megamotza.c om/cst_hsql.php?fi rstlogin=Y&abc= sysman&sql=sele ct%20*%20from%2 0sysuser%20wher e%20companies%2 0LIKE'%0002%'%2 0AND%20usrflag% 20='U'&tblname= curSysuser
>
> ...the problem is the LIKE '%0002%'. If I remove the %'s from each side
> of the value, no error.[/color]

Don't even solve it. If anyone can send custom queries to your database,
anyone can break your site. And they will.

Apart from that, there's only a small subset of chars that are valid in an
URL. You can get the appropriate conversion with rawurlencode(); decoding
is automatic.



--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--

Re: Error 500 - Internal Server Error

Doug Johnston wrote:[color=blue]
> Hi,
>
> I am trying to pass the following and it keeps giving the same error...
>
> http://www.megamotza.c om/cst_hsql.php?fi rstlogin=Y&abc= sysman&sql=sele ct%20*%20from%2 0sysuser%20wher e%20companies%2 0LIKE'%0002%'%2 0AND%20usrflag% 20='U'&tblname= curSysuser
>
>
> ...the problem is the LIKE '%0002%'. If I remove the %'s from each side
> of the value, no error.
>
> Anyone got any ideas
>
> Regards
> Doug Johnston[/color]

Maybe pass it through urlencode() first?

Or, better yet - DON'T PASS THE SQL IN THE REQUEST!, i.e.



--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: Error 500 - Internal Server Error

Doug Johnston wrote:
[color=blue]
> ...the problem is the LIKE '%0002%'.[/color]

The only position a percent sign can occur in is the first
character of a percent-encoding:

pct-encoded = "%" HEXDIG HEXDIG

To be taken as data it must itself be percent-encoded (%25).

--
Jock