Hii everyone,
I'm a web programmer, but I never understood sql injecting.
All I found was that you can write "a' or 'a'='a" in the password
field to try to connect without knowing the password.
I heard that there are many other ways to do sql injecting, and I
never found how.
I know that you can even manage to get data from sql tables using sql
injecting.
How can it be? How can someone do it?
Please help,
Ofir.

Your best defense against SQL injection in SQL Server is to execute only
parameterized SQL statements and stored procedures. Never build SQL strings
by concatenating values. Code is vulnerable to injection if SQL statements
are built and executed like:

sqlStatement = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = '" + myValue
+ "'";

A malicious user can change the intent of this SQL statement by specifying a
value like:

';DROP TABLE dbo.MyTable;--

or

' UNION ALL SELECT Password FROM dbo.Users;--

Google "SQL injection" for more information.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"ofiras" <ofiasu (AT) gmail (DOT) com> wrote

On Fri, 16 Nov 2007 13:01:14 GMT, "Dan Guzman"
<guzmanda (AT) nospam-online (DOT) sbcglobal.net> wrote:

I agree with you, but isn't this a strike against LINQ?
-Tom.

On Fri, 16 Nov 2007 01:31:14 -0800 (PST), ofiras <ofiasu (AT) gmail (DOT) com>
wrote:

One piece worth reading:

http://www.sommarskog.se/dynamic_sql.html#SQL_injection

Roy Harvey
Beacon Falls, CT

On Nov 16, 7:41 am, Tom van Stiphout <no.spam.tom7... (AT) cox (DOT) net> wrote:
That is funny, an objection to LINQ based on sql injection!

LINQ is to a database as asking a child to build a cyclotron. What you
get is some well intentioned but mangled piece of work that bears
little relation to reality. What a gigantic waste of resources. Had
they only brought in people who new even the basic ideas of a 'real
relational database' MS might well be on the way to breaking new
ground in an area dormat forever. Now they simply have something they
can say 'hides' sql from the net developer. It seems what was
important was to design something, anything, so long as it would
'hide' sql. If anyone can explain what ideas/principles were being
followed I'd love to hear from them. MS has a net group and a database
group. Obviously they need another.

www.beyondsql.blogspot.com

On Fri, 16 Nov 2007 19:10:51 -0800 (PST), steve <rog11228 (AT) aol (DOT) com>
wrote:

And those two buildings cannot be more than a few hundred feet apart.
Stunning, indeed.

-Tom.

IMHO, yes. I know little about LINQ but, from what I've seen, there are
both pros and cons.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Tom van Stiphout" <no.spam.tom7744 (AT) cox (DOT) net> wrote

steve wrote:

Depends. If LINQ implicitly protects against injection, then it's
precisely the opposite.

Let's have a look, then, shall we?

http://en.wikipedia.org/wiki/Languag...NQ_Code_Sample

----- begin quote -----
// the Northwind type is a subclass of DataContext created by SQLMetal
// Northwind.Orders is of type Table<Order>
// Northwind.Customers is of type Table<Customer>

Northwind db = new Northwind(connectionString);

// use 'var' keyword because there is no name for the resultant type of
the projection

var q = from o in db.Orders
from c in db.Customers
where o.Quality == "200" && (o.CustomerID == c.CustomerID)
select new { o.DueDate, c.CompanyName, c.ItemID, c.ItemName };

// q is now an IEnumerable<T>, where T is the anonymous type generated
by the compiler

foreach (var t in q)
{
// t is strongly typed, even if we can't name the type at design time

Console.WriteLine("DueDate Type = {0}", t.DueDate.GetType());
Console.WriteLine("CompanyName (lowercased) = {0}",
t.CompanyName.ToLower());
Console.WriteLine("ItemID * 2 = {0}", t.ItemID * 2);
}
----- end quote -----

Look at the comments, in particular. If the type /could/ be named at
design time, at both the database and application layer, then would
your Holy Grail have finally been achieved?

On Nov 17, 9:49 am, Ed Murphy <emurph... (AT) socal (DOT) rr.com> wrote:

My point is MS is attempting to make application development easier at
the expense of database technology. There is nothing in LINQ that
advances db technology one inch. It is pure utility. There is nothing
I've read concerning LINQ that indicates that anyone remotely
connected with it has any idea of relational ideas/technology. And why
should they, it was not a requirement for the job. Had they the brains
to understand that relational technology is the key to overcoming the
impedance mismatch and leads to a simplified programming model for
application development, they may have
taken a completely different approach. Their holy grail is making sql
server invisible and what message does that send to the database
community? The day that the LINQ group recognizes the idea of a true
table type will be the day a new crew comes aboard for database
development I hope it's soon because net is a marvalous platform, to
good to waste on medicore thinkers.

www.beyondsql.blogspot.com

steve wrote:
http://en.wikipedia.org/wiki/PureQuery
(Don't get fooled by the DBMS limitation... That's just beta. Eventually
anything with a JDBC driver will be accepted)

Cheers
Serge
--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab