roger.plowman (1/22/2016)
The flaw I'm talking about is the lack of a definitive end of line. In SQL syntax the concept of whitespace includes the end of line marker used by the majority of other languages. This makes SQL injection MUCH easier by treating end of line as just another kind of whitespace.
I don't really agree that this is a flaw, there are plenty of languages that don't explicitly use EOL as a syntactic element (other than lumping it in with the rest of whitespace as a delimiter "class" (lol inventing terms lol))
But even if it were, I don't even think it matters because databases prefer their interfaces to send user data to the process as parameters, and the SQL to execute on these parameters SEPARATELY. This way, the work to keep code and data (parameters) separate (and therefore keep user supplied code hacks out of the execution stream) is kept in one place and maintained by those best suited to maintain the code and data seperation, ie., THE SERVER DEVELOPERS.
When you mix SQL code and user parameters yourself (by not using parameterized calls to SQL Server), YOU ARE ESSENTIALLY REINVENTING THE WHEEL. When this wheel is REINVENTED POORLY, security can fail, and end users can inject arbitrary code to be executed by the server.