Reply to Re: Sql injecting

Your name:

Reply:


Posted by Tom van Stiphout on 11/16/07 14:41

On Fri, 16 Nov 2007 13:01:14 GMT, "Dan Guzman"
<guzmanda@nospam-online.sbcglobal.net> wrote:

I agree with you, but isn't this a strike against LINQ?
-Tom.


>> I'm a web programmer, but I never understood sql injecting.
>
>Your best defense against SQL injection in SQL Server is to execute only
>parameterized SQL statements and stored procedures. Never build SQL strings
>by concatenating values. Code is vulnerable to injection if SQL statements
>are built and executed like:
>
>sqlStatement = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = '" + myValue
>+ "'";
>
>A malicious user can change the intent of this SQL statement by specifying a
>value like:
>
>';DROP TABLE dbo.MyTable;--
>
>or
>
>' UNION ALL SELECT Password FROM dbo.Users;--
>
>Google "SQL injection" for more information.

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация