sql injection? RRS feed

  • Question

  • hi can anyone tell wat is sql injection and how it can be used?
    pavankumar kavety
    Friday, November 13, 2009 4:51 AM


  • There's a whole MSDN Library article on this subject that you can find on http://msdn.microsoft.com/en-us/library/ms161953.aspx.

    Here's a quote from the top of the article:

    SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

    The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

    The article gives plenty of other great information about how to protect an application from malicious injection. 


    Sunday, November 15, 2009 9:06 PM