quote:I'm sure you know this articles from http://www.appsecinc.com named Manipulating Microsoft SQL Server Using SQL Injection. Or Advanced SQL Injections in SQL Server Applications by http://www.ngssoftware.com.
quote:I understand the principle of the above article, I just don't understand how someone could submit the commands to the server unless they already had access to the server. Can anyone throw some light on this?
quote:Has anyone ever been injected?
quote:Like I said, as a DBA, you're really hand-cuffed if the developer doesn't build the application securely. Hence the reason for code reviews. Pair programming, a la Extreme Programming, ain't a bad practice, either, so long as one of the programmers is versed in defensive programming.