Self SQL Injection

  • Alessandro Mortola

    Say Hey Kid

    Points: 692

    Comments posted to this topic are about the item Self SQL Injection

  • Knut Boehnert


    Points: 2946

    Very nice story about white space matters.

  • Alex Friedman

    Right there with Babe

    Points: 755


  • Thom A

    SSC Guru

    Points: 98515

    It honestly surprises me how many people still leave themselves open to SQL injection. Parametrisation and the use of QUOTENAME (in SQL Server) make a query infinitely easier to make it avoidable. It really frustrates me when you see someone that's creating dynamic SQL with a statement like:
    @SQL = 'SELECT ' + @COL1 + ',' + @COL2 + ' FROM ' + @Table + ' WHERE ' + @Col1 + ' = ' + @Value;


    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply