Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
zaidqis
Yak Posting Veteran
63 Posts |
 Posted - 2006-07-01 : 05:15:41
|
| hii read about SQL Injectionand it is really dangerous !!what can i do to protect my database from SQL Injection ??thank you |
|
|
khtan
In (Som, Ni, Yak)
17689 Posts |
|
|
Kristen
Test
22859 Posts |
Posted - 2006-07-01 : 05:45:47
|
Use parameters in any calls to the server. Failing that double-up all the single quotes in anything they give you before you pass it to the server, and pass EVERYTHING as a single-quoted-string - i.e. even numbers. Then if someone enters a number as 9;'DROP DATABASE ...what you will actually pass to the database will be'9;''DROP DATABASE ...'which will be harmless (but probably raise an error if you syntax was expecting a number!)But using parameters solves all of that. use parameterized queries, OK? - did I say that already?  Do not execute any dynamic SQL for which the syntax is generate using data provide by the usere.g. user is allowed to enter MyColumn = 'FRED'and you append that to a WHERE clause ... they could, and will, type anything in there!Plenty more to be found using Google ...Kristen |
 |
|
|
zaidqis
Yak Posting Veteran
63 Posts |
Posted - 2006-07-01 : 07:07:26
|
| thank you |
|
|
|
madhivanan
Premature Yak Congratulator
22864 Posts |
Posted - 2006-07-01 : 08:37:53
|
| http://weblogs.sqlteam.com/jeffs/archive/2006/04/21/9651.aspxfilehttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000002.aspMadhivananFailing to plan is Planning to fail |
|
|
|
spirit1
Cybernetic Yak Master
11752 Posts |
|
|
|
|
|
SQL Injection