what is mean by sql injection

Posted by Johnseelan under Sql Server on 1/24/2011 | Points: 10 | Views : 2727 | Status : [Member] | Replies : 4

Write New Post |

Search Forums | Answered

Resolved Posts |

Un Answered Posts |

Forums Home

hi

what is mean by sql injection
can any one give me the Definition and example for this

Reply | Reply with Attachment

Alert Moderator

Responses

Posted by: PandianS on: 1/24/2011 [Member] [MVP] Silver | Points: 25

0	Hi John 1.SQL injection is an attack in which malicious code is passed into strings through the Parameters that are later parsed/executed to an instance of SQL Server. 2.The primary form of SQL injection contains user-input variables that are concatenated with SQL commands and executed. 3.The injection process works by prematurely terminating a text string and appending a new command. 4. If you have any Input parameters and that parameters will be executed in SQL Server instance based on the input what you have passing... See The sample given below, Incase somebody want to hack your data/misbehave the actual scenario. The below script have two part seperated by (;), So the first part will get the Current date from the instance and Second part will DELETE the data from "Table1". DECLARE @varSQL VARCHAR(100) SELECT @varSQL = 'SELECT GetDate() [Current Date & Time]; DELETE Table1' EXEC(@varSQL) So, Becareful when using the parameters from the outside of the SQL Server like Application...! Kindly parse/validate the input parameters before EXECUTE IT! Cheers www.sqlserverbuddy.blogspot.com Cheers www.SQLServerbuddy.blogspot.com iLink Multitech Solutions Johnseelan, if this helps please login to Mark As Answer. \| Alert Moderator

Hi John

1.SQL injection is an attack in which malicious code is passed into strings through the Parameters that are later parsed/executed to an instance of SQL Server.

2.The primary form of SQL injection contains user-input variables that are concatenated with SQL commands and executed.

3.The injection process works by prematurely terminating a text string and appending a new command.

4. If you have any Input parameters and that parameters will be executed in SQL Server instance based on the input what you have passing...

See The sample given below,

Incase somebody want to hack your data/misbehave the actual scenario.

The below script have two part seperated by (;), So the first part will get the Current date from the instance and Second part will DELETE the data from "Table1".

DECLARE @varSQL VARCHAR(100)

SELECT @varSQL = 'SELECT GetDate() [Current Date & Time]; DELETE Table1'

EXEC(@varSQL)

So, Becareful when using the parameters from the outside of the SQL Server like Application...!

Kindly parse/validate the input parameters before EXECUTE IT!

Cheers
www.sqlserverbuddy.blogspot.com

Cheers
www.SQLServerbuddy.blogspot.com
iLink Multitech Solutions

Johnseelan, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Vuyiswamb on: 1/24/2011 [Member] [MVP] [Administrator] NotApplicable | Points: 25

0	I once written a a controversial article at CodeProject, but i think i have it here at DNF http://www.dotnetfunda.com/articles/article295.aspx Thank you for posting at Dotnetfunda [Administrator] Johnseelan, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Karthikanbarasan on: 1/24/2011 [Member] [Moderator] [Microsoft_MVP] [MVP] Silver | Points: 25

0	Hi, Check this article... http://unixwiz.net/techtips/sql-injection.html Thanks Karthik www.f5Debug.net Johnseelan, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Prabhakar on: 1/24/2011 [Member] [MVP] Starter | Points: 25

0	hi Johnseelan SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. ... en.wikipedia.org/wiki/SQL_injection Thanks & Regard's Prabhakar Best Regard's Prabhakar Johnseelan, if this helps please login to Mark As Answer. \| Alert Moderator

Latest Posts