Hello everybody, I have discovered an SQL Injection in the X-forwarded-for http header, but i got troubles exploiting it, i use the firefox plugin "X-forwarded-for Header" to edit the value and put the quote. Actually i should double quote to see the error message using : '", this is the error message i get : Code: [B]Fatal error[/B]: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '" or 1/*, VALUE_OF_THE_HEADER'' at line 1' in xxx/www/inc/function.php:190 Stack trace: #0 xxx/www/inc/function.php(190): PDOStatement->execute() #1 xxx/www/index.php(56): is_banned() #2 {main} thrown in [B]xxx/www/inc/function.php[/B] on line [B]190[/B] I tried replacing the value of the header by : '" OR 1=1 and everything that i had read about sql injection but i failed. I would appreciate it if anyone help me Thank you all.
This is not a Hacking or Computer Security site. If you would like to learn how to make money online then stick around and read.