I'm looking for a query that will show, say the tables in the database to a site just to test my own sites against SQL injection attacks.

If you wouldn't mind pm'ing me the actual reply as i know its not the type of information you should just throw out there!

Thanks in advance.

__________________
Irish Gaming Network

You want a query to show you the tables or you want a query that will show you more?

__________________
Quality Hosting & Domains|Plesk Vps Hosting|Geek / Cool Stuff|Films.ie|Cool Sites|Monetisation Tips|Movie News and Reviews

Well basically a query that will show if SQL injection attack will work on my site or not if you get me!? I need to see what people can see and change.

It depends on the database you are using. I presume that you are using parameters on your urls? If you are using stored procs this would not be an issue. If you are building sql string then it may be.

Injection attacks take the form of appending pieces of SQL which are always true onto your param i.e. OR 1=1, so you sql becomes something like select * from mytable where custid=3232 or 1=1 which brings back all customers.

To get a list of tables you would need to try and append a UNION query to the string. select * from mytable where custid=3232 UNION select tablename from sysobjects where xtype = 'U'. Doubt this would work as the columns would not match. Maybe if you could work out the columns that the customer query brought back and aliased the second query column to the same name/numbers. It would be messy and unlikely to work.

Also, the user that you run your sql should have as little permissions as possible - not the admin!