Posted by Tom van Stiphout on 11/16/07 14:41
On Fri, 16 Nov 2007 13:01:14 GMT, "Dan Guzman"
<guzmanda@nospam-online.sbcglobal.net> wrote:
I agree with you, but isn't this a strike against LINQ?
-Tom.
>> I'm a web programmer, but I never understood sql injecting.
>
>Your best defense against SQL injection in SQL Server is to execute only
>parameterized SQL statements and stored procedures. Never build SQL strings
>by concatenating values. Code is vulnerable to injection if SQL statements
>are built and executed like:
>
>sqlStatement = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = '" + myValue
>+ "'";
>
>A malicious user can change the intent of this SQL statement by specifying a
>value like:
>
>';DROP TABLE dbo.MyTable;--
>
>or
>
>' UNION ALL SELECT Password FROM dbo.Users;--
>
>Google "SQL injection" for more information.
[Back to original message]
|