Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

SQL/GUI Lookup query

  • 02-09-2014 3:14pm
    #1
    Hosted Moderators Posts: 3,331 ✭✭✭


    Hi All,

    bit of an unusual one. I have an application here locally where i have admin access to the DB but no access to change the DB that i'm aware of. In the gui we have a search box that looks like it should act as an exact search like the below:
    SELECT
    [TITLE]
    FROM
    [TIPS]
    WHERE
    [TITLE] = 'something'

    but its actually working like

    SELECT
    [TITLE]
    FROM
    [TIPS]
    WHERE
    [TITLE] LIKE '%something%' ;

    the user only has access to dictate the lookup table and the actual text they want to search for. But not whether or not its a wildcard or exact. Any idea if its possible to put an escape character inside the search text? My gut feeling is no, but just thought i'd ask.

    The sql is running on MS SQL Express 2008

    cheers
    Splinter


Comments

  • Registered Users, Registered Users 2 Posts: 7,501 ✭✭✭BrokenArrows


    depending on how dodgy the background code is entering this might work.
    %' AND 'mysearchterm
    

    So that will give a search for [TITLE] LIKE '%%' AND 'mysearchterm%' ;

    Its not 100% exact but it is a begins with style search.


  • Hosted Moderators Posts: 3,331 ✭✭✭Splinter


    so it would become

    SELECT
    [TITLE]
    FROM
    [TIPS]
    WHERE
    [TITLE] LIKE '%''something%' ;

    ?

    just trying that and no luck


  • Registered Users, Registered Users 2 Posts: 1,712 ✭✭✭neil_hosey


    most definately dodgy.


  • Hosted Moderators Posts: 3,331 ✭✭✭Splinter


    no luck with search for ' AND 'selection either i'm afraid


  • Registered Users, Registered Users 2 Posts: 295 ✭✭shrewd


    What is the objective here?

    what are trying to escape?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 7,501 ✭✭✭BrokenArrows


    Splinter wrote: »
    no luck with search for ' AND 'selection either i'm afraid

    well then it looks like back background code is done properly so you are out of luck.


  • Registered Users, Registered Users 2 Posts: 586 ✭✭✭Aswerty


    You have admin access to the DB but don't have the access to change the DB? This sounds like a contradiction.

    Also can you specify if the SQL query is baked into the GUI based application, which I assume runs on a users machine, or wheter it is a stored procedure.

    Finally, performing SQL injection on your own system to modify an SQL query is just insane.


  • Hosted Moderators Posts: 3,331 ✭✭✭Splinter


    I personally have db admin access but i don't know if i have access to change the query. I amn't responsible for the build of the application so alot of it is me trying to figure it out from what is labelled correctly. Is it possible to find the query or is that held inside the application side of it? My knowledge of where queries are built/run from is limited i'm afraid

    thanks


  • Registered Users, Registered Users 2 Posts: 586 ✭✭✭Aswerty


    If you have DB admin access you should have sufficient access to make changes to the database. The issue is that you don't actually seem to know where the query is stored. If it is a stored procedure then it is stored in the DB and you should be able to modify it yourself. You would best do this by accessing the SQL server with a managment client (e.g. SQL Server Management Studio, MySQL Workbench).

    N.B. Messing around with a database when you don't know what you are doing is a recipe for disaster!

    If it is part of the GUI application itself then there is a very good chance that the only way to modify it is to modify the applications source code and rebuild it. If this is the case I think getting a hold of someone who is responsible for the development of the application is a must.

    If this is a critical/live system that you are looking at modifying I'd think twice about making any changes before you have a lot more knowledge of the systems in place.


  • Registered Users, Registered Users 2 Posts: 6 Aztech


    It looks like the code is written well enough to stop SQL injection. So amending how this works would only seem to be possible if it happens to be executing in a stored procedure.

    You could run SQL Express Profiler (aka ExpressProfiler, I can't post links but a quick search will find it) to see what's executing the query on the database. If it's an SP it will be easy to make the change you need. If it is not, you are going to need changes to the code.


  • Advertisement
Advertisement