January 28, 2010 at 8:20 am
Alvin Ramard (1/28/2010)
...I almost added a comment about not paying for Gail's travel expenses.
So I guess you're not paying mine either.:crying:
-- Gianluca Sartori
January 28, 2010 at 8:24 am
Gianluca Sartori (1/28/2010)
Alvin Ramard (1/28/2010)
...I almost added a comment about not paying for Gail's travel expenses.So I guess you're not paying mine either.:crying:
That's probably more than we could arrange at this time with our limited sponsorship.
I suppose I could check with INETA. :unsure:
For best practices on asking questions, please read the following article: Forum Etiquette: How to post data/code on a forum to get the best help[/url]
January 28, 2010 at 8:32 am
Alvin Ramard (1/28/2010)
I almost added a comment about not paying for Gail's travel expenses.
and I was just about to make some snarky comments.... 😉
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 28, 2010 at 8:38 am
Steve Jones - Editor (1/28/2010)
I think the biggest issue with SQL Injection is the front ends. It's not SQL. Even if I have a good proc, spDoSomethingCool, if I call it asSETDim MySQL as string = "spDoSomethingCool '" + SomeVariable + "' "
Dim myConn As SqlConnection = New SqlConnection(ConfigurationSettings.AppSettings("YourAppSettings"))
Dim ds as DataSet=New DataSet()
Dim Cmd as New SQLDataAdapter(MySQL,MyConn)
And someone can input data into "SomeVariable", they could skip entering "1" and instead enter "1 ; shutdown"
The concatenation on the front end can be the issue if the developer doesn't properly send parameters through.
Some people would say the first problem with that code is that it is VB!:w00t:
Definitely the main issue with SQL Injection is improperly coding the front end, but as Gus pointed out, you need to be careful in your SQL as well, if you allow dynamic columns, tables, grouping, ordering as you can't use parameters for that, but need to concatenate.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
January 28, 2010 at 8:40 am
GilaMonster (1/28/2010)
Alvin Ramard (1/28/2010)
I almost added a comment about not paying for Gail's travel expenses.and I was just about to make some snarky comments.... 😉
You can still make them. 😀
For best practices on asking questions, please read the following article: Forum Etiquette: How to post data/code on a forum to get the best help[/url]
January 28, 2010 at 8:40 am
Oh ... No ... Halo tarnishing and slipping!
January 28, 2010 at 8:43 am
Lynn Pettis (1/28/2010)
Oh ... No ... Halo tarnishing and slipping!
I think it's justified, especially with his last comment...
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 28, 2010 at 8:45 am
GilaMonster (1/28/2010)
Lynn Pettis (1/28/2010)
Oh ... No ... Halo tarnishing and slipping!I think it's justified, especially with his last comment...
I know I shouldn't have done that, but I added my 3 cents worth.
For best practices on asking questions, please read the following article: Forum Etiquette: How to post data/code on a forum to get the best help[/url]
January 28, 2010 at 8:48 am
No, that was some seriously scattered questions & responses. I think a bit of the old hickory was needed.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
January 28, 2010 at 8:49 am
Not sure what you can do with that guy except ignore him.
January 28, 2010 at 8:55 am
Actually his comment may have been much nicer than we thought, thanks to his poor English.
He may have meant that he has "read the books" and that is basically all he knows whereas others have "so much time on", meaning more time working with SQL or more experience, and are lucky that way.
I may be wrong.
For best practices on asking questions, please read the following article: Forum Etiquette: How to post data/code on a forum to get the best help[/url]
January 28, 2010 at 9:20 am
Alvin Ramard (1/28/2010)
Actually his comment may have been much nicer than we thought, thanks to his poor English.He may have meant that he has "read the books" and that is basically all he knows whereas others have "so much time on", meaning more time working with SQL or more experience, and are lucky that way.
I may be wrong.
Do you have the crystal ball now?
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
January 28, 2010 at 9:24 am
CirquedeSQLeil (1/28/2010)
Alvin Ramard (1/28/2010)
Actually his comment may have been much nicer than we thought, thanks to his poor English.He may have meant that he has "read the books" and that is basically all he knows whereas others have "so much time on", meaning more time working with SQL or more experience, and are lucky that way.
I may be wrong.
Do you have the crystal ball now?
Not anymore. It rolled off the table and onto the floor. Then the poor crystal ball rolled right out the door.
😀
For best practices on asking questions, please read the following article: Forum Etiquette: How to post data/code on a forum to get the best help[/url]
January 28, 2010 at 9:25 am
Rubberized crystal?? Must be, it keeps bouncing around the world! 😛
January 28, 2010 at 9:28 am
Alvin Ramard (1/28/2010)
Gianluca Sartori (1/28/2010)
Alvin Ramard (1/28/2010)
FYI, you're all invited to come to Memphis in April to continue this discussion on SQL Injection.We normally meet on the 2nd Thursday of the month.
😀
Thanks Alvin, it's not exactly next door for me, but thank you for the invitation.:-)
Will you come to Venice in turn?
I understand your comment. No, I'm not ready to go to Venice.
When I wrote the invitation, I almost added a comment about not paying for Gail's travel expenses.
Today is a Thread Gone Wild day - and I am still catching up.
So will you pay for travel expenses of those denizens that are closer (Jack in Florida, Grant in New England?, Steve or Lynn from Colorado)?
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
Viewing 15 posts - 10,906 through 10,920 (of 66,712 total)
You must be logged in to reply to this topic. Login to reply