January 22, 2015 at 6:42 am
Hello All
Is the word "output" is a sql injected word.... If yes, how can we make our application protected as "output" is a very common word in a text field...
Thanks in Advance
January 22, 2015 at 6:54 am
Parameterise your queries!
Don't try to blacklist, it doesn't work. Write properly parameterised queries, don't concatenate user input into a string and execute it.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 22, 2015 at 7:32 am
Listen to what Gail says. Blacklisting words is never going to work. A user can pass in hex strings too which will be converted back into text. Your blacklist will never catch this and you still have the same vulnerability. Using parameterized queries is the only way around this.
Consider this value: 0x39393939393939393939393920756e696f6e20616c6c202873656c656374202748656c6c6f21212729
What would happen in your blacklist check with that? It would pass. However, take a look at what this does when it is implicitly converted to a varchar.
declare @String varchar(max)
set @String = 0x39393939393939393939393920756e696f6e20616c6c202873656c656374202748656c6c6f21212729
select @String
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
January 22, 2015 at 8:46 am
Nice one, Sean. "Hello" to you too. @=)
January 23, 2015 at 1:06 am
Thanx everyone....
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply