Yahoo Answers is shutting down on May 4th, 2021 (Eastern Time) and beginning April 20th, 2021 (Eastern Time) the Yahoo Answers website will be in read-only mode. There will be no changes to other Yahoo properties or services, or your Yahoo account. You can find more information about the Yahoo Answers shutdown and how to download your data on this help page.

SQL Injection: Does a text box that responds to HTML input make it more vulnerable to SQL injection?

2 Answers

Relevance
  • Bob
    Lv 4
    7 years ago

    I'm auditing a website and I've been able to make a text box to display HTML when you click "search." Does this mean it is susceptible to sql injection? for example a search for

    1 </BR> hello world </BR> <i> how do you do </i>

    will produce zero results, but the website displays the breaks and the italics (not the HTML)

    The website also responds to the %wildcard operator. However, I can't get it to respond to any escape characters or comment characters. Any other thoughts on how to manipulate a text field to either produce an error or produce an SQL result?

    I've tried doing things like

    % -- displays everything available

    %' or '%' -- just to see if it produced the two wild cards, but this did nothing

    %' -- no results

    %" -- no results

    Any thoughts on how to determine what the database is?

  • Anonymous
    7 years ago

    YES. Anything which might mean you need to allow more than plain text is a risk. You need to VERY carefully filter all content before allowing it in.

Still have questions? Get your answers by asking now.