1.SQL injection is an attack in which malicious code is passed into strings through the Parameters that are later parsed/executed to an instance of SQL Server.
2.The primary form of SQL injection contains user-input variables that are concatenated with SQL commands and executed.
3.The injection process works by prematurely terminating a text string and appending a new command.
4. If you have any Input parameters and that parameters will be executed in SQL Server instance based on the input what you have passing...
See The sample given below,
Incase somebody want to hack your data/misbehave the actual scenario.
The below script have two part seperated by (;), So the first part will get the Current date from the instance and Second part will DELETE the data from "Table1".
DECLARE @varSQL VARCHAR(100)
SELECT @varSQL = 'SELECT GetDate() [Current Date & Time]; DELETE Table1'
So, Becareful when using the parameters from the outside of the SQL Server like Application...!
Kindly parse/validate the input parameters before EXECUTE IT!
www.sqlserverbuddy.blogspot.com Johnseelan, if this helps please login to Mark As Answer. | Alert Moderator