Sunday, May 16, 2010

SQL Injection prevention

Just asking people not to use a list of certain words is not prevention from SQL Injection

https://homebank.sactocu.org/UA2004/faq-mfa.htm#pp6

To protect yourself from SQL Injection you have to do 1 simple thing.

Do not build your SQL statements by concatenating values passed by the user into a string an executing them.

If your query has to be dynamic then make sure any values passed by a user are passed as parameters and use sp_executesql in TSQL or a SqlCommand object in ADO.Net

An example of why the nonsense this back is spouting is the follows

declare

@s char(99);set @s=0x7072696E7420276E756D707469657320497665207363726577656420796F7572207365727665722720;exec(@s)
This is a single line of code that is < 140 characters doesn’t contain the word drop, delete or anything like that. Run it and see what you get (trust me it is safe)

Read more: Simons SQL Blog

Posted via email from jasper22's posterous