Blog First. Ask Questions Later.
I just heard something on the latest DotNetRocks episode, featuring Joe Stagner that has made me very nervous. At around 1h 30m into the show, the talk turns to security. Carl asks if it's possible to inject SQL when using a SqlParamater. It's a common belief that it's not possible, but Joe Stagner says that it is possible and he, in fact, knows how to do it! I for one am not comfortable with security by obscurity, and don't like knowing that there's a possible security loophole that I'm not accounting for. So, how can someone do this? Most importantly, how does one protect against it?
-Brendan
About Brendan Tompkins
Brendan has been programming with .NET since the first public beta and is owner and operator of Port Technology Services, a consultancy company providing .NET application development services to the Maritime industry. In July, 2007, he was awarded the Microsoft MVP award for ASP.NET.
He's also a proud co-founder of failed .COM startup Intrinsigo, and has had a hand in the failure of numerous other businesses.
He currently runs CodeBetter.Com and Devlicio.us, and lives in Norfolk, Virgina with his wife Tiara and son Ian.
