Couple rules to use:
- Always check your input parameters from user / system.
- If you getting string from input, never insert this input straight into SQL command
SQL injection examples:
"SELECT * FROM productsWHERE id LIKE '%a%'exec master..xp_cmdshell 'net user test testpass /ADD' --%'";You can comment out existing SQL and introduce your own sql to be executed.
No comments:
Post a Comment