Please please please learn about SQL Injection Attacks

Here are two more great blog entries about preventing SQL Injection Attacks First,¬†Bertrand Le Roy gives some excellent advice about how to spot potential sites for injection attacks and how to get yourself out of that mess: Please, please, please, learn about injection attacks! Second, Brian Delahunty points out three PDFs with some good information […]

Oh No! More on SQL Injection Attacks

I’ve not written about this in a while becuase it seemed that people were getting the message. But today I was asked, on Code Project, “I am wondering why injecting values into the [SQL] string is considered a security risk?” Here is my response: Because if you inject strings into the SQL, especially ones that […]

SQL Injection Attacks and executing dynamically created SQL

There is a very important difference between EXEC[UTE] and sp_executesql that anyone who executes dynamically generated SQL statements ought to know. Typically dynamic SQL is generated when a particular construct is not possible by using parameters alone or when certain parts are added to the statement depending on other conditions. In the latter case, sp_executesql […]

SQL Injection Attacks and Some Tips on How to Prevent Them

Introduction Security in software applications is an ever more important topic. In this article, I discuss various aspects of SQL Injection attacks, what to look for in your code, and how to secure it against SQL Injection attacks. Although the technologies used here are SQL Server 2000 and the .NET Framework, the general ideas presented […]