Reply to Re: Sql injecting — MsSQL Server

Posted by Dan Guzman on 11/17/07 14:32

> I agree with you, but isn't this a strike against LINQ?

IMHO, yes. I know little about LINQ but, from what I've seen, there are
both pros and cons.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Tom van Stiphout" <no.spam.tom7744@cox.net> wrote in message
news:n0brj3prd4fba5d66mcj7a35qt6pbs5gu7@4ax.com...
> On Fri, 16 Nov 2007 13:01:14 GMT, "Dan Guzman"
> <guzmanda@nospam-online.sbcglobal.net> wrote:
>
> I agree with you, but isn't this a strike against LINQ?
> -Tom.
>
>
>>> I'm a web programmer, but I never understood sql injecting.
>>
>>Your best defense against SQL injection in SQL Server is to execute only
>>parameterized SQL statements and stored procedures. Never build SQL
>>strings
>>by concatenating values. Code is vulnerable to injection if SQL
>>statements
>>are built and executed like:
>>
>>sqlStatement = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = '" +
>>myValue
>>+ "'";
>>
>>A malicious user can change the intent of this SQL statement by specifying
>>a
>>value like:
>>
>>';DROP TABLE dbo.MyTable;--
>>
>>or
>>
>>' UNION ALL SELECT Password FROM dbo.Users;--
>>
>>Google "SQL injection" for more information.

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация