Self SQL Injection

  • Comments posted to this topic are about the item Self SQL Injection

  • Very nice story about white space matters.

  • Ahahahahahahaha

  • It honestly surprises me how many people still leave themselves open to SQL injection. Parametrisation and the use of QUOTENAME (in SQL Server) make a query infinitely easier to make it avoidable. It really frustrates me when you see someone that's creating dynamic SQL with a statement like:
    @SQL = 'SELECT ' + @COL1 + ',' + @COL2 + ' FROM ' + @Table + ' WHERE ' + @Col1 + ' = ' + @Value;


    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply