Forums before death by AOL, social media and spammers... "We can't have nice things"
| comp.databases.ms-sqlserver | Notorious Rube Goldberg contraption | 19,505 messages |
[ << oldest | < older | list | newer > | newest >> ]
| Message 19,145 of 19,505 |
| Erland Sommarskog to Tony Johansson |
| Re: SQl -injection |
| 28 Jan 15 13:45:37 |
From: esquel@sommarskog.se
Tony Johansson (johansson.andersson@telia.com) writes:
> In the form there is a text field for name
>
> This query is meant to be used like his
> select Namn, Adress, Telefonnummer
> from Abonnent
> where Namn = 'Olle Karlsson' //This name is fetched from the text
> field
> name in the form
> and hemligtNummer = false;
>
> If now the user enter some strange character in the text field in the form
> like this
> select Namn, Adress, Telefonnummer
> from Abonnent
> where Namn = 'Olle Karlsson' or 'a'='a' or 'a'='a'
> and hemligtNummer = false;
>
> I don't understand how the second query can result that all rows will be
> fetched
So that depends on you submit the query. If you submit the query as:
cmd.CommandText =
@"select Namn, Adress, Telefonnummer
from Abonnent
where Namn = @name";
cmd.Parameters.Add("@name", SqlDbType.NVarChar, 50).Value = "Olle Karlsson";
There is no issue. (The syntax is C#, but all environments permits you do
things like this.)
But if you do:
cmd.CommandText =
@"select Namn, Adress, Telefonnummer
from Abonnent
where Namn = '" + TextBox.Text + "'";
This is wide open for SQL injection. For instance try to enter this in the
textbox and see what happens:
' SHUTDOWN WITH NOWAIT --
--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
(c) 1994, bbs@darkrealms.ca