It is a old hack... E.g.
Let us say you have a "dynamic SQL" which goes something like
formID = Request.Form("ID")
sSQL = "SELECT * from myTable WHERE Id=" & formID
conn.Execute(sSQL)
Just imagine someone enters this: "5; DELETE FROM myTable"
the final SQL will be
SELECT * from myTable WHERE Id=5; DELETE FROM myTable
which is a valid SQL statement. The user should still need to know the table
names, but it is possible that the hacker might be able to delete system
tables.
To get around this, use stored procedures when possible, with parameters. At
the least, validate the input. Hope that helps.
--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
"Kevin Hill" <no****@nospam.com> wrote in message
news:IFmKb.28029$i55.13481@fed1read06...
I am seeing log entries that have SQL statements embedded in the actual
forms.