Just asking people not to use a list of certain words is not prevention from SQL Injectionhttps://homebank.sactocu.org/UA2004/faq-mfa.htm#pp6 To protect yourself from SQL Injection you have to do 1 simple thing.Do not build your SQL statements by concatenating values passed by the user into a string an executing them.If your query has to be dynamic then make sure any values passed by a user are passed as parameters and use sp_executesql in TSQL or a SqlCommand object in ADO.Net An example of why the nonsense this back is spouting is the followsdeclare@s char(99);set @s=0x7072696E7420276E756D707469657320497665207363726577656420796F7572207365727665722720;exec(@s)
This is a single line of code that is < 140 characters doesn’t contain the word drop, delete or anything like that. Run it and see what you get (trust me it is safe) Read more: Simons SQL Blog
This is a single line of code that is < 140 characters doesn’t contain the word drop, delete or anything like that. Run it and see what you get (trust me it is safe) Read more: Simons SQL Blog
Posts
0 comments:
Post a Comment