Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Michael Coles Updated SQL Injection RE: Updated SQL Injection

  • September 21, 2005 at 10:52 am

    #591901

    Thanks for the feedback!

    Keep in mind though that even though in the example I gave all data is passed as VARCHAR's which need to be quoted, not all data passed via SQL Statements will be quoted.  For instance:

    SELECT * FROM Table1 WHERE IntegerID = 19823

    If this were dynamically constructed, like this:

    SqlString = "SELECT * FROM Table1 WHERE IntegerID = " & InputID.Text

    The user can inject SQL commands with no regard for quotes.  The safest route is to always use .NET parameterized queries and sp_executesql.

    But probably an even bigger problem that I've seen is DBA's and developers giving the ASPNET user (and other users) far too many rights on the server and in the databases themselves.  It's often a lot easier just to grant a user SA rights than to figure out exactly what rights they actually need.

    Thanks!