Thursday, 17 January 2013

Website Security - SQL injection


Couple rules to use:
  1. Always check your input parameters from user / system.
  2. If you getting string from input, never insert this input straight into SQL command


SQL injection examples:



"SELECT * FROM products
WHERE id LIKE '%a%'
exec master..xp_cmdshell 'net user test testpass /ADD' --%'"
;

You can comment out existing SQL and introduce your own sql to be executed.