Posted by Dan Guzman on 11/16/07 13:01

> I'm a web programmer, but I never understood sql injecting.

Your best defense against SQL injection in SQL Server is to execute only
parameterized SQL statements and stored procedures. Never build SQL strings
by concatenating values. Code is vulnerable to injection if SQL statements
are built and executed like:

sqlStatement = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = '" + myValue
+ "'";

A malicious user can change the intent of this SQL statement by specifying a
value like:

';DROP TABLE dbo.MyTable;--

or

' UNION ALL SELECT Password FROM dbo.Users;--

Google "SQL injection" for more information.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"ofiras" <ofiasu@gmail.com> wrote in message
news:99681e70-75a7-4a44-a4b6-cde76dd7362d@v4g2000hsf.googlegroups.com...
> Hii everyone,
> I'm a web programmer, but I never understood sql injecting.
> All I found was that you can write "a' or 'a'='a" in the password
> field to try to connect without knowing the password.
> I heard that there are many other ways to do sql injecting, and I
> never found how.
> I know that you can even manage to get data from sql tables using sql
> injecting.
> How can it be? How can someone do it?
> Please help,
> Ofir.

[Back to original message]