Brendan Tompkins [MVP]

Sponsors

The Lounge

News

Advertisement

Images in this post missing? We recently lost them in a site migration. We're working to restore these as you read this. Should you need an image in an emergency, please contact us at imagehelp@codebetter.com
Possible SQL Injection via SQL Parameters?

I just heard something on the latest DotNetRocks episode, featuring Joe Stagner that has made me very nervous.  At around 1h 30m into the show, the talk turns to security.  Carl asks if it's possible to inject SQL when using a SqlParamater.  It's a common belief that it's not possible, but Joe Stagner says that it is possible and he, in fact, knows how to do it!  I for one am not comfortable with security by obscurity, and don't like knowing that there's a possible security loophole that I'm not accounting for. So, how can someone do this?  Most importantly, how does one protect against it?

-Brendan


Posted 09-21-2004 9:53 AM by Brendan Tompkins

[Advertisement]

Add a Comment

(required)  
(optional)
(required)  
Remember Me?