|
Posted by Erland Sommarskog on 10/01/48 11:41
Kevin Audleman (audleman@quasika.net) writes:
> My site has come under attack from sql injections. I thought I had
> things handled by replacing all single quotes with two single quotes,
> aka
>
> Replace(inputString, "'", "''")
>
> Alas, clever hackers have still managed to find a way to drop columns
> from some of my tables. Can anybody direct me towards a best practice
> document on preventing these attacks?
Learn about using parameterised commands in whichever API you are using.
--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
[Back to original message]
|