Thursday, 17 January 2013

Website Security - SQL injection

Couple rules to use:
  1. Always check your input parameters from user / system.
  2. If you getting string from input, never insert this input straight into SQL command

SQL injection examples:

"SELECT * FROM products
WHERE id LIKE '%a%'
exec master..xp_cmdshell 'net user test testpass /ADD' --%'"

You can comment out existing SQL and introduce your own sql to be executed.

No comments:

Post a Comment