Comments posted to this topic are about the item Self SQL Injection
Very nice story about white space matters.
Right there with Babe
It honestly surprises me how many people still leave themselves open to SQL injection. Parametrisation and the use of QUOTENAME (in SQL Server) make a query infinitely easier to make it avoidable. It really frustrates me when you see someone that's creating dynamic SQL with a statement like:
@SQL = 'SELECT ' + @COL1 + ',' + @COL2 + ' FROM ' + @Table + ' WHERE ' + @Col1 + ' = ' + @Value;
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Viewing 4 posts - 1 through 3 (of 3 total)