I am getting "Changed database context to.." message when USE statement is used.Application is built using Delphi XE7. I need to modify the databases in between without trying to get this message.Other database which i need is tempDB.Is there any SQL statement to pass from code to stop this message from coming?
Related
I'm doing some webpentesting exercises and there is this one task saying that I need to make a new account with this name and this password by using SQL injection. On the web page there is a text input username and another text input 'password'. I can enter whatever characters I want inside the username text-input but inside the password text input I need to type a specific injection.
I know I need to inject insert query but the thing is I don't know the table name. In order to insert a new user I need to know the table name so I'm wondering how can I make the web showing me an error with tablename revealed.
The error showing should be like:
Unexpected end of command in statement [SELECT * FROM (tablename) WHERE...]
I tried to enter with just one character (maybe >1 chars are required) inside the password field to make the error show or even delete the parameter text input password. But it just won't show the SQL syntax error.
So the question is: How can I make use of the exploit to make the web page view the SQL syntax error with table name revealed?
And why doesn't injection work on username field but it does on password field?
The first thing is understand the difference between "application" errors (for example, "the user doesn't exist") and execution errors, in which the application fails itself, like the "Unexpected end of command" you mention. The first case is not usually a problem from the security point of view (unless the application is very badly programmed), the second one is what could allow hacking.
A well programmed web application should ideally only have application errors, but the more realistic approach is cope with unexpected execution errors in way that don't make it vulnerable. Also, application should process any user input in a way that don't cause an execution error.
It seems that they are teaching you the most flagrant case that allows SQL injection, apps than don't do any processing to user input (so it's very easy put text in an input field that cause an execution error), and that don't cope with execution errors (in this case, showing the internal execution message to the user).
A common mistake in web applications is constructing the SQL query with string concatenation, so the simplest way of make it fail is using the string delimiter (') in a field, causing the string value to end prematurely. In an sloppy web app it would cause an execution error that shows the full error message, usually including the table name.
From there you craft a SQL query in the input field that insert the user in the table, you could find examples online (note that you need at least basic knowledge on SQL and PHP (or ASP, Java, etc.), in order to do SQL injection, since you need to know how the database access works in order to make it fail).
Finally, SQL injection could work in any input field that is not properly processed, but it depends on how the application is programmed. I suppose that both fields would work but it will be easy do that with the password field because probably is the last one in the SQL query.
So at my company we use a billing system which connects to a Firebird database that we have no back-end access to. I am quite new at this company so my familiarity with the Firebird database is not too great. We keep getting this error :
ERROR: Database Engine Error
Sender Class: TGLPreviewBtn
Exception Class: EIBODBError.
IBO ErrorERRCODE=335544569 SQLCODE=-204
Error Message:
ISC ERROR CODE:335544569
ISC ERROR MESSAGE:
Dynamic SQL Error
SQL error code = -204
Procedure unknown
GET_SUB_CONTACTLIST
At line 3, column 60
This has been a recurring thing since I've been hired (I've been here for about 45 days), and we've reported this error to the company which hosts the billing system that we use to access the database. The company keeps saying that it's a network issue on our end, however I cannot see any indication of a connection drop on our end.
I have to reiterate that we have no back-end access to this database so I have no way of going to see what GET_SUB_CONTACTLIST even refers to.
Any help will be appreciated, I am just out of college and this is my first job in a position like this so I will use this as a great learning experience.
This cannot be a network error on your end. The error literally means that Firebird was asked to execute a stored procedure called GET_SUB_CONTACTLIST, and that stored procedure does not exist at that time.
So either someone (or something) is creating and dropping stored procedures on the fly, or part of the application is calling a stored procedure that simply does not exist.
As an aside: error 335544569 (aka isc_dsql_error) covers a broad range of error conditions with 'dynamic' SQL (in other words: most SQL related errors...), unfortunately a lot of client libraries do not communicate the more specific error code 335544581 (or isc_dsql_procedure_err).
Here's the code:
SQL = " DROP TABLE [H:\Archive23\SPX.accdb].[SPX_MissingTimes] "
MsgBox SQL
DoCmd.RunSQL SQL
This code ran without an error message for a week, then, after some changes in unrelated code following it, it started generating this message:
Microsoft Visual Basic
Run-time error '3295':
Syntax error in DROP TABLE or DROP INDEX.
This error message is generated AFTER later code has run, as proven by the fact that a later MsgBox call executes before the error message.
I call it a "false error message" because the code still works, deleting the table every time.
There are no other DROP statements involved in any code.
I have no idea where to start looking. Any ideas will be appreciated.
GSerg, thanks. Yes, it is a second, different MsgBox coded after DoCmd.Execute that pops up before the error message. This second msgbox displays the SQL statement for a make-table query which replaces the deleted table, and which is executed without incident. I probably should have mentioned: I am using Windows 10 and Access 2016 in a standalone installation (without the rest of Office). I have had no other strange problems. I have a suspicion this is related somehow to Access inner threading logic. Or maybe it's an Access "ghost" (it wouldn't be my first), which can be eliminated by creating a new blank database and importing everything form the afflicted one so start clean.
While refreshing Webi report I am getting an error:
A database error occured. The database error text is: (CS) "Unexpected behavior" . (WIS 10901)
All the objects are parsing in the universe and Server is also responding. What can be the possible reason?
We are also able to run query in the database using database client tool.
If the error message appears after the a long time it might just be a timeout issue.
Else, you could try to import a version of the report that works in CMS to your local drive, rename it and run again.
It can be caused by some special character in the data combined with the fact that the server language settings do not foresee such character and therefore Business Objects cannot parse it for presentation.
If that is the case you might need to configure an environment variable of the server (like NLS_LANG) setting it to a value such that those special characters in your data can be handled by Business Objects.
In my situation, the error appera when some objet from the data base has changed or does not exists anymore. So we need to delete this object in the Universe or be sure that the field exists in the data base with the same name and type.
I had same problem with my reports. After couple hour of "investigation", I found.
I create Object in my universe, and set inappropriate type of object data Number, when value in database have type Character.
It throw me oracle Error (ORA-01722), and Bussiness Object error (WIS 10901), though SQL copied from report creator interface, executed directly on database return proper data.
Hi I have a adp/SQL project running with my db.
Everything is ok but is there a way to customize error messages.
Example: read user cannot update one field so he receives the standard SQL error msg. Is there a way to make it more user friendly?
If you're using stored procedures, you can raise a custom error message, or you can have an output procedure that is returned with the error message.
If you're using direct sql syntax, then you can check the ADO error object and convert it to some sort of user defined error message.
Hope that helps