the-web-application-hackers-handbook

336 Chapter 9 n Attacking Data Stores
(continued)
Oracle:
ORA-01722: invalid number
ORA-01858: a non-numeric character was found where a
numeric was expected
MS-SQL: Msg 245, Level 16, State 1, Line 1
Syntax error converting the varchar value ‘foo’ to a
column of data type int.
MySQL:
Translation:
(MySQL will not give you an error.)
Your input doesn’t match the expected data type for the field. You
may have SQL injection, and you may not need a single quote, so
try simply entering a number followed by your SQL to be injected. In
MS-SQL, you should be able to return any string value with this error
message.
Oracle:
MS-SQL:
MySQL:
Translation:
ORA-00923: FROM keyword not found where expected
N/A
N/A
The following will work in MS-SQL:
SELECT 1
But in Oracle, if you want to return something, you must select from
a table. The DUAL table will do fine:
SELECT 1 from DUAL
Oracle:
MS-SQL:
MySQL:
Translation:
ORA-00936: missing expression
Msg 156, Level 15, State 1, Line 1Incorrect syntax
near the keyword ‘from’.
You have an error in your SQL syntax. Check the
manual that corresponds to your MySQL server version
for the right syntax to use near ‘ XXX , YYY from
SOME_TABLE’ at line 1
You commonly see this error message when your injection point
occurs before the FROM keyword (for example, you have injected
into the columns to be returned) and/or you have used the comment
character to remove required SQL keywords. Try completing the
SQL statement yourself while using your comment character. MySQL
should helpfully reveal the column names XXX, YYY when this condition
is encountered.