Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Sp_executesql and sql injection
Message
From
17/05/2011 15:56:02
Naomi Nosonovsky
Wisconsin, United States
 
 
To
17/05/2011 15:52:56
Mike Yearwood
Toronto, Ontario, Canada
General information
Forum:
Microsoft SQL Server
Category:
Stored procedures, Triggers, UDFs
Title:
Re: Sp_executesql and sql injection
Environment versions
SQL Server:
SQL Server 2008
Application:
Web
Miscellaneous
Thread ID:
01510894
Message ID:
01510907
Views:
70
>m.lcParameter = "something to be injected"
>
>Here I add the parameter to the string:
>lcSQL = "select * from table where field = ?lcParameter"
>
>vs
>
>Here I add the parameter value to the string:
>lcSQL = "select * from table where field = ' " + m.lcParameter + "'"
>
>The difference is obvious.

Why you're showing VFP sample? Also, I know that, are you explaining it for Brandon?
If it's not broken, fix it until it is.


My Blog
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform