SQL Injection prevention

Just asking people not to use a list of certain words is not prevention from SQL Injection

https://homebank.sactocu.org/UA2004/faq-mfa.htm#pp6

To protect yourself from SQL Injection you have to do 1 simple thing.

Do not build your SQL statements by concatenating values passed by the user into a string an executing them.

If your query has to be dynamic then make sure any values passed by a user are passed as parameters and use sp_executesql in TSQL or a SqlCommand object in ADO.Net

An example of why the nonsense this back is spouting is the follows

declare

@s char(99);set @s=0x7072696E7420276E756D707469657320497665207363726577656420796F7572207365727665722720;exec(@s)

This is a single line of code that is < 140 characters doesn’t contain the word drop, delete or anything like that. Run it and see what you get (trust me it is safe)

Encase they change it here is the page

Published 14 May 2010 09:31 by simonsabin

Comments

14 May 2010 10:05 by SimonS Blog on SQL Server Stuff

# SQL Injection prevention

Just asking people not to use a list of certain words is not prevention from SQL Injection https://homebank

14 May 2010 11:04 by jamiet

# re: SQL Injection prevention

Hey,

You should post a screenshot of that in your blog cos I wouldn't be surprised to see it change sometime soon. It'll be interesting to see if they DO change it, and if they do we need to capture this for prosterity :)

I tried posting a screenshot to my blog but it seems Adam hasn't given me permission to upload images. Hmmm...

-Jamie

14 May 2010 19:43 by jahaines82

# re: SQL Injection prevention

LOL, Simon this is great!!! You made my day :^)

31 May 2010 15:09 by Madhivanan

# re: SQL Injection prevention

Here is the derived table approach that can avoid SQL Injection

beyondrelational.com/.../derived-table-new-approach-to-avoid-sql-injection.aspx

Simons SQL Blog

This Blog

Syndication

Search

Navigation

News

My Twitter

Blogs

Tags

Recent Posts

Archives