SQL injection .NET

    Date: 03/13/13 (Web Development)    Keywords: sql

    The pentesters told use that the following code is vulnerable to SQL injection in our e-store:

    create procedure dbo.uspBeAfraidBeVeryAfraid ( @p1 varchar(64) )
    AS
    SET NOCOUNT ON
    declare @sql varchar(512)
    set @sql = 'select * from ' + @p1
    exec(@sql)
    GO


    How I should fix the issue?

    Source: http://webdev.livejournal.com/583006.html

« Basic HTML Document || N00blet soup »
Search  •  Site Map  •  Set as Homepage  •  Add to Favourites  • 
antivirus | apache | asp | blogging | browser | bugtracking | cms | crm | css | database | ebay | ecommerce | google | hosting | html | java | jsp | linux | microsoft | mysql | offshore | offshoring | oscommerce | php | postgresql | programming | rss | security | seo | shopping | software | spam | spyware | sql | technology | templates | tracker | virus | web | xml | yahoo | home