Hii everyone,
I'm a web programmer, but I never understood sql injecting.
All I found was that you can write "a' or 'a'='a" in the password
field to try to connect without knowing the password.
I heard that there are many other ways to do sql injecting, and I
never found how.
I know that you can even manage to get data from sql tables using sql
injecting.
How can it be? How can someone do it?
Please help,
Ofir.
14  1786 
I'm a web programmer, but I never understood sql injecting.
Your best defense against SQL injection in SQL Server is to execute only
parameterized SQL statements and stored procedures. Never build SQL strings
by concatenating values. Code is vulnerable to injection if SQL statements
are built and executed like:
sqlStatement = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = '" + myValue
+ "'";
A malicious user can change the intent of this SQL statement by specifying a
value like:
';DROP TABLE dbo.MyTable;--
or
' UNION ALL SELECT Password FROM dbo.Users;--
Google "SQL injection" for more information.
--
Hope this helps.
Dan Guzman
SQL Server MVP
"ofiras" <of****@gmail.c omwrote in message
news:99******** *************** ***********@v4g 2000hsf.googleg roups.com...
Hii everyone,
I'm a web programmer, but I never understood sql injecting.
All I found was that you can write "a' or 'a'='a" in the password
field to try to connect without knowing the password.
I heard that there are many other ways to do sql injecting, and I
never found how.
I know that you can even manage to get data from sql tables using sql
injecting.
How can it be? How can someone do it?
Please help,
Ofir.
On Fri, 16 Nov 2007 13:01:14 GMT, "Dan Guzman"
<gu******@nospa m-online.sbcgloba l.netwrote:
I agree with you, but isn't this a strike against LINQ?
-Tom.
>I'm a web programmer, but I never understood sql injecting.
Your best defense against SQL injection in SQL Server is to execute only
parameterize d SQL statements and stored procedures. Never build SQL strings
by concatenating values. Code is vulnerable to injection if SQL statements
are built and executed like:
sqlStatement = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = '" + myValue
+ "'";
A malicious user can change the intent of this SQL statement by specifying a
value like:
';DROP TABLE dbo.MyTable;--
or
' UNION ALL SELECT Password FROM dbo.Users;--
Google "SQL injection" for more information.
On Nov 16, 7:41 am, Tom van Stiphout <no.spam.tom7.. .@cox.netwrote:
I agree with you, but isn't this a strike against LINQ?
That is funny, an objection to LINQ based on sql injection! :)
LINQ is to a database as asking a child to build a cyclotron. What you
get is some well intentioned but mangled piece of work that bears
little relation to reality. What a gigantic waste of resources. Had
they only brought in people who new even the basic ideas of a 'real
relational database' MS might well be on the way to breaking new
ground in an area dormat forever. Now they simply have something they
can say 'hides' sql from the net developer. It seems what was
important was to design something, anything, so long as it would
'hide' sql. If anyone can explain what ideas/principles were being
followed I'd love to hear from them. MS has a net group and a database
group. Obviously they need another. www.beyondsql.blogspot.com
On Fri, 16 Nov 2007 19:10:51 -0800 (PST), steve <ro******@aol.c om>
wrote:
And those two buildings cannot be more than a few hundred feet apart.
Stunning, indeed.
-Tom.
>On Nov 16, 7:41 am, Tom van Stiphout <no.spam.tom7.. .@cox.netwrote:
>I agree with you, but isn't this a strike against LINQ?
That is funny, an objection to LINQ based on sql injection! :)
LINQ is to a database as asking a child to build a cyclotron. What you
get is some well intentioned but mangled piece of work that bears
little relation to reality. What a gigantic waste of resources. Had
they only brought in people who new even the basic ideas of a 'real
relational database' MS might well be on the way to breaking new
ground in an area dormat forever. Now they simply have something they
can say 'hides' sql from the net developer. It seems what was
important was to design something, anything, so long as it would
'hide' sql. If anyone can explain what ideas/principles were being
followed I'd love to hear from them. MS has a net group and a database
group. Obviously they need another.
www.beyondsql.blogspot.com
I agree with you, but isn't this a strike against LINQ?
IMHO, yes. I know little about LINQ but, from what I've seen, there are
both pros and cons.
--
Hope this helps.
Dan Guzman
SQL Server MVP
"Tom van Stiphout" <no************ *@cox.netwrote in message
news:n0******** *************** *********@4ax.c om...
On Fri, 16 Nov 2007 13:01:14 GMT, "Dan Guzman"
<gu******@nospa m-online.sbcgloba l.netwrote:
I agree with you, but isn't this a strike against LINQ?
-Tom.
>>I'm a web programmer, but I never understood sql injecting.
Your best defense against SQL injection in SQL Server is to execute only
parameteriz ed SQL statements and stored procedures. Never build SQL
strings
by concatenating values. Code is vulnerable to injection if SQL
statements
are built and executed like:
sqlStatemen t = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = '" +
myValue
+ "'";
A malicious user can change the intent of this SQL statement by specifying
a
value like:
';DROP TABLE dbo.MyTable;--
or
' UNION ALL SELECT Password FROM dbo.Users;--
Google "SQL injection" for more information.
On Nov 17, 9:49 am, Ed Murphy <emurph...@soca l.rr.comwrote:
My point is MS is attempting to make application development easier at
the expense of database technology. There is nothing in LINQ that
advances db technology one inch. It is pure utility. There is nothing
I've read concerning LINQ that indicates that anyone remotely
connected with it has any idea of relational ideas/technology. And why
should they, it was not a requirement for the job. Had they the brains
to understand that relational technology is the key to overcoming the
impedance mismatch and leads to a simplified programming model for
application development, they may have
taken a completely different approach. Their holy grail is making sql
server invisible and what message does that send to the database
community? The day that the LINQ group recognizes the idea of a true
table type will be the day a new crew comes aboard for database
development:) I hope it's soon because net is a marvalous platform, to
good to waste on medicore thinkers. www.beyondsql.blogspot.com
steve wrote:
On Nov 17, 9:49 am, Ed Murphy <emurph...@soca l.rr.comwrote:
My point is MS is attempting to make application development easier at
the expense of database technology. There is nothing in LINQ that
advances db technology one inch. It is pure utility. There is nothing
I've read concerning LINQ that indicates that anyone remotely
connected with it has any idea of relational ideas/technology....
Hmmm, is this more to your taste? http://en.wikipedia.org/wiki/PureQuery
(Don't get fooled by the DBMS limitation... That's just beta. Eventually
anything with a JDBC driver will be accepted)
Cheers
Serge
--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
steve wrote:
My point is MS is attempting to make application development easier at
the expense of database technology. There is nothing in LINQ that
advances db technology one inch. It is pure utility. There is nothing
I've read concerning LINQ that indicates that anyone remotely
connected with it has any idea of relational ideas/technology. And why
should they, it was not a requirement for the job. Had they the brains
to understand that relational technology is the key to overcoming the
impedance mismatch and leads to a simplified programming model for
application development, they may have
taken a completely different approach. Their holy grail is making sql
server invisible and what message does that send to the database
community? The day that the LINQ group recognizes the idea of a true
table type will be the day a new crew comes aboard for database
development:) I hope it's soon because net is a marvalous platform, to
good to waste on medicore thinkers.
www.beyondsql.blogspot.com
Straw man. I did not ask about what LINQ explicitly does, but
rather what it suggests:
>Look at the comments, in particular. If the type /could/ be named at
design time, at both the database and application layer, then would
your Holy Grail have finally been achieved?
My objection is not so much to your general idea of variables of
type table-with-given-columns (I've recently worked with some systems
that could be cleaner if such a thing were available; currently they
work around it using temp tables); more to your specific use of D4 in
all your examples, as opposed to a pseudo-code extension of SQL. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Jamie R. Parent |
last post by:
Hello,
How do you go about taking a variable which was declared in C and pass
that through to a Python script? I have tried doing this by adding a
simple string which is a PyObject from C into the local dictionary and
retrieving it from script via a locals() print statement.
This however does not seem to work. It would seem that when the scripts
are ran the local dictionary with the added item is wiped clean and a
new local dictionary...
|
by: Skip Montanaro |
last post by:
I use sets a lot in my Python 2.3 code at work and have been using this
hideous import to make the future move to 2.4's set type transparent:
try:
x = set
except NameError:
from sets import Set as set
else:
del x
|
by: George Sakkis |
last post by:
Is there a general way of injecting code into a function, typically
before and/or after the existing code ? I know that for most purposes,
an OO solution, such as the template pattern, is a cleaner way to get
the same effect, but it's not always applicable (e.g. if you have no
control over the design and you are given a function to start with). In
particular, I want to get access to the function's locals() just before
it exits, i.e....
|
by: Amine Zejli |
last post by:
Hi,
I am trying to inject a web service into my .NET application. The thing is I
only have the wsdl doc and it is just a text file that is saved on my comp.
can anybody help me and tell me how I can inject that local wsdl document
into my studio .NET application.
Thank you all very much
amine
|
by: wschaub |
last post by:
We need to inject information (i.e. server details from where a signed file
was downloaded) into a signed file, without breaking the signature or
integrity of a signed file. Apparently there are areas and ways to inject
custom information into signed files, however, we cannot find the "how to".
It is needed to inject server source when customer downloads signed files
from a site, allowing the downloaded file to query the information and...
| | |
by: Nadav |
last post by:
Hi,
Introduction:
************************************************************
I am working on a project that should encrypt PE files ( Portable executable
), this require me to inject some code to existing PEs.
First, I have tried:
1. to inject some code to the end of the ‘.text’ segment of an existing PE
2. to set the entry point RVA to the address of the injected code
3. at the end of the injected code I have set a jmp to the...
|
by: tai |
last post by:
Hi.
I'm looking for a way to define a function that's only effective inside
specified function.
Featurewise, here's what I want to do:
bar_plugin_func = function() { ...; setTimeout(...); ... };
wrap_func(bar_plugin_func);
bar_plugin_func(); // calls custom "setTimeout"
|
by: rh.krish |
last post by:
Hi,
I have a unique situation. We have many applications (approx - 20)
built on .NET framework 1.1 & 2.0 and hosted in one single IIS website
in PROD. We have similar setup in TEST. Now we want to have a banner
indicating that the website being accessed by the user is TEST. This
is because, there are some users who have access to both and sometimes
they do stuffs in PROD which are meant to be done only in TEST. By
displaying somekind of...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
