So I was reading up on how to test if your website is vulnerable, and one sql injection technique said you can put a ' at the end of the URL and see if it returns a error message. I tried this and I got one:
Error querying db (SELECT * FROM bbk2Schedule WHERE id=2342\'): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
I decided to continue on with the website to see what someone could potentially do to me.
The next part of the tutorial said as follows:
To find number of columns we use statement ORDER BY (tells database how to order the result) so how to use it? Well just incrementing the number until we get an error.
http://www.xyz.com/news.php?id=5 order by 1/* <-- no error
http://www.xyz.com/news.php?id=5 order by 2/* <-- no error
http://www.xyz.com/news.php?id=5 order by 3/* <-- no error
http://www.xyz.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)
that means that the it has 3 columns, cause we got an error on 4
When i tried this technique, i got an error on 1 that said:
Error querying db (SELECT * FROM bbk2Schedule WHERE id=2342 order by 1/*): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/*' at line 1.
Long post short: Is my website vulnerable or not???? Im confused because it has symptoms of vulnerabilities but I myself cant find away to exploit it (Not meaning someone else cant of course)
Can someone tell me 1. if im vulnerable, and 2.how come the technique presented didnt work
