You are here: Re: Preventing SQL Injection attacks « MsSQL Server « IT news, forums, messages
Re: Preventing SQL Injection attacks

Posted by Erland Sommarskog on 10/01/48 11:41

Kevin Audleman (audleman@quasika.net) writes:
> My site has come under attack from sql injections. I thought I had
> things handled by replacing all single quotes with two single quotes,
> aka
>
> Replace(inputString, "'", "''")
>
> Alas, clever hackers have still managed to find a way to drop columns
> from some of my tables. Can anybody direct me towards a best practice
> document on preventing these attacks?

Learn about using parameterised commands in whichever API you are using.



--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация