Tag Archives: SQL Injection Attack

SQL Server User Group: SQL Injection Attacks

Posted on Wednesday, 29 June, 2011 by Colin Mackay

Examples The examples were run against a copy of the Adventure Works database. Basic Demo (ASP.NET MVC / C# / Visual Studio 2010) Second Order Demo (WinForms / C’# / Visual Studio 2010) Required Tables For the Second Order Demo … Continue reading

Posted in Community, SQL Injection Attack Talk, Talk Examples | Tagged | Leave a comment

If you really must do dynamic SQL…

Posted on Monday, 21 September, 2009 by Colin Mackay

I may have mentioned in previous posts and articles about SQL Injection Attacks that dynamic SQL (building SQL commands by concatenating strings together) is a source of failure in the security of a data driven application. It becomes easy to … Continue reading

Posted in Uncategorized | Tagged , , , | 7 Comments

BBC repeating mindless nonsense

Posted on Tuesday, 18 August, 2009 by Colin Mackay

I’ve just read a report from the BBC that simply repeats some mindless drivel about SQL Injection Attacks from a spokesman for the US Department of Justice. According to the BBC: Edward Wilding, a fraud investigator, told the BBC that … Continue reading

Posted in Uncategorized | Tagged , | 1 Comment

A fantastic cartoon on SQL Injection Attacks

Posted on Thursday, 11 October, 2007 by Colin Mackay

Just in time for the SQL Injection Attack micro presentation that I’m doing. From: xkcd.org Technorati Tags: SQL Injection Attack , cartoon , xkcd

Posted in Uncategorized | Tagged , | 2 Comments

SQL Injection Attacks

Posted on Sunday, 24 June, 2007 by Colin Mackay

Every day I see messages on various forums asking for help with SQL. Nothing wrong with that. People want to understand how something works, or have a partial understanding but something is keeping them from completing their task. However, I frequently … Continue reading

Posted in Uncategorized | Tagged , , , , | Leave a comment

UPDATE: Sql Injection Attacks

Posted on Sunday, 24 June, 2007 by Colin Mackay

As a follow up to my post on preventing SQL Injection Attacks a couple of months ago I just found this little nugget, I Made a Difference[^], and it shows what can be achieved if you don’t secure against SQL Injection attacks – and … Continue reading

Posted in Uncategorized | Tagged | 1 Comment

Please please please learn about SQL Injection Attacks

Posted on Sunday, 24 June, 2007 by Colin Mackay

Here are two more great blog entries about preventing SQL Injection Attacks First, Bertrand Le Roy gives some excellent advice about how to spot potential sites for injection attacks and how to get yourself out of that mess: Please, please, please, … Continue reading

Posted in Uncategorized | Tagged | Leave a comment

Protecting Tables from SQL Injection Attack

Posted on Sunday, 24 June, 2007 by Colin Mackay

A recent question in a forum that I view asked about how to ensure that even if one layer of security was compromised that the table would only ever return one row at a time so that an attacker would have … Continue reading

Posted in Uncategorized | Tagged | Leave a comment

Oh No! More on SQL Injection Attacks

Posted on Friday, 22 June, 2007 by Colin Mackay

I’ve not written about this in a while becuase it seemed that people were getting the message. But today I was asked, on Code Project, “I am wondering why injecting values into the [SQL] string is considered a security risk?” … Continue reading

Posted in Uncategorized | Tagged | 1 Comment

SQL Injection Attacks and executing dynamically created SQL

Posted on Friday, 22 June, 2007 by Colin Mackay

There is a very important difference between EXEC[UTE] and sp_executesql that anyone who executes dynamically generated SQL statements ought to know. Typically dynamic SQL is generated when a particular construct is not possible by using parameters alone or when certain … Continue reading

Posted in Uncategorized | Tagged , | Leave a comment