what is mean by sql injection

Posted by Johnseelan under Sql Server on 1/24/2011 | Points: 10 | Views : 1573 | Status : [Member] | Replies : 4
hi

what is mean by sql injection
can any one give me the Definition and example for this




Responses

Posted by: PandianS on: 1/24/2011 [Member] [MVP] Silver | Points: 25

Up
0
Down
Hi John

1.SQL injection is an attack in which malicious code is passed into strings through the Parameters that are later parsed/executed to an instance of SQL Server.

2.The primary form of SQL injection contains user-input variables that are concatenated with SQL commands and executed.

3.The injection process works by prematurely terminating a text string and appending a new command.

4. If you have any Input parameters and that parameters will be executed in SQL Server instance based on the input what you have passing...

See The sample given below,

Incase somebody want to hack your data/misbehave the actual scenario.

The below script have two part seperated by (;), So the first part will get the Current date from the instance and Second part will DELETE the data from "Table1".
DECLARE @varSQL VARCHAR(100)

SELECT @varSQL = 'SELECT GetDate() [Current Date & Time]; DELETE Table1'
EXEC(@varSQL)
So, Becareful when using the parameters from the outside of the SQL Server like Application...!

Kindly parse/validate the input parameters before EXECUTE IT!

Cheers
www.sqlserverbuddy.blogspot.com

Cheers
www.SQLServerbuddy.blogspot.com
iLink Multitech Solutions

Johnseelan, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Vuyiswamb on: 1/24/2011 [Member] [MVP] [Administrator] NotApplicable | Points: 25

Up
0
Down
I once written a a controversial article at CodeProject, but i think i have it here at DNF
http://www.dotnetfunda.com/articles/article295.aspx

Thank you for posting at Dotnetfunda
[Administrator]

Johnseelan, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Karthikanbarasan on: 1/24/2011 [Member] [Moderator] [Microsoft_MVP] [MVP] Silver | Points: 25

Up
0
Down
Hi,

Check this article...

http://unixwiz.net/techtips/sql-injection.html

Thanks
Karthik
www.f5Debug.net

Johnseelan, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Prabhakar on: 1/24/2011 [Member] [MVP] Starter | Points: 25

Up
0
Down
hi Johnseelan


SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. ...
en.wikipedia.org/wiki/SQL_injection

Thanks & Regard's
Prabhakar

Best Regard's
Prabhakar

Johnseelan, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response