Kevin Turner came to Vietnam yesterday for the "Heroes happen here" events, in which he introduced the "new and innovative" 2008 solutions. But its companion website, http://www.heroeshappenhere.vn, is very much vulnerable to SQL injection.
Unclosed quotation mark before the character string '''.
Line 1: Incorrect syntax near '''.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string '''.
Line 1: Incorrect syntax near '''.
Source Error:
Line 21: cmd.CommandText="SELECT count(*) FROM Newletters WHERE Email='"+ txtEmail.Text+"'";
Line 22:
Line 23: int Count = (int)cmd.ExecuteScalar();
Line 24:
Line 25: if (Count > 0)
Source File: d:\hosting\heroeshappenhere\footer.ascx Line: 23
Stack Trace:
[SqlException (0x80131904): Unclosed quotation mark before the character string '''.
Line 1: Incorrect syntax near '''.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +925466
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +800118
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +186
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +1932
System.Data.SqlClient.SqlDataReader.ConsumeMetaData() +31
System.Data.SqlClient.SqlDataReader.get_MetaData() +62
System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +297
System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +1005
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +132
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +32
System.Data.SqlClient.SqlCommand.ExecuteScalar() +137
ASP.footer_ascx.cmdNewletter_Click(Object sender, EventArgs e) in d:\hosting\heroeshappenhere\footer.ascx:23
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +105
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +107
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746
Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433
M$ is still M$, after all...
Thursday, April 10, 2008
Noobs happen here
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment