Home Forums SQLServerCentral.com Editorials The Command Shell RE: The Command Shell

  • March 29, 2013 at 10:01 am

    #1602081

    TravisDBA (3/29/2013)

    Another thing to remember here is that script injection is NOT just restricted to SQL. MSDOS commands can be injected in a string that is passed to an xp_cmdshell and executed with the current privileges. If you know how to use ampersands, it's real easy to do. Tim Burleson wrote a very good article with a real fine example of this that is well worth reading. 😀

    http://www.rampant-books.com/t_super_sql_157_script_injection_msdos.htm%5B/quote%5D

    I did mention "DOS Injection" that in my first post on this thread but it's absolutely worth mentioning again. Thanks, Travis.

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)