CodeBetter.Com
CodeBetter.Com
RSS 2.0 via Feedburner
           Do you Twitter? Follow us @CodeBetter

Brendan Tompkins [MVP]

Blog First. Ask Questions Later.

Possible SQL Injection via SQL Parameters?

I just heard something on the latest DotNetRocks episode, featuring Joe Stagner that has made me very nervous.  At around 1h 30m into the show, the talk turns to security.  Carl asks if it's possible to inject SQL when using a SqlParamater.  It's a common belief that it's not possible, but Joe Stagner says that it is possible and he, in fact, knows how to do it!  I for one am not comfortable with security by obscurity, and don't like knowing that there's a possible security loophole that I'm not accounting for. So, how can someone do this?  Most importantly, how does one protect against it?

-Brendan



About Brendan Tompkins

Brendan has been programming with .NET since the first public beta and is owner and operator of Port Technology Services, a consultancy company providing .NET application development services to the Maritime industry. In July, 2007, he was awarded the Microsoft MVP award for ASP.NET. He's also a proud co-founder of failed .COM startup Intrinsigo, and has had a hand in the failure of numerous other businesses. He currently runs CodeBetter.Com and Devlicio.us, and lives in Norfolk, Virgina with his wife Tiara and son Ian.

View Brendan's profile on LinkedIn

Check out Devlicio.us!

Our Sponsors

Free Tech Publications