0

So my website was open to SQL injection and exploited using Havij. My question is for that program you can do a placeholder in the format of getVariable=%inject_Here%.

Now I know in a like statement you can use % as a wild card.

Do % signs have any significance inside an equals comparison? Or with that structure is it literally looking for the string "%inject_Here%".

I'm just trying to understand the format to help further prevent injection.

Any information on the subject would be appreciated!

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Travis
  • 157
  • 1
  • 13
  • 2
    possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) –  Mar 16 '15 at 21:00
  • Havij literally looks for and uses `%inject_Here%` as the vector for exploitation – Prime Mar 16 '15 at 21:02

1 Answers1

0

You can convert a string to it's hexadecimal value. Here is a website about doing that in sql http://www.codeproject.com/Articles/610089/SQL-Servers-FORMAT-function#13. Every Language has an easy to use method to convert strings to and from hexadecimal. This will enable you to place any character you want in the string.

If you are actually using percentages in a mathematical type of way, it is not proper to store them in your sql string. You should store it in decimal format. decimal(p,s) example decimal(5,2)

kayleighsdaddy
  • 670
  • 5
  • 15