Answer Posted / venkat reddy.ravu
SQL injection is nothing but inserting malicious code with
the strings and later which will pass to the particular SQL
server instances which may damage the database or may
corrupt bthe data
For exaple:
var EmpName;
EmpName= Request.form ("EmpName");
var sql = "select * from Employee where EmpName= '" +
EmpName+ "'";
If you considers the above query and if user prompts to
enter the input as Scott,
Then query processed like this
select * from Employee where EmpName='Scott'
If user enters the input as below,
Scott,drop table Employee
In this case your query will be processed as below
select * from Employee where Ename='Scott',drop table emp
So,first select statement will be executed and then table
will be dropped.
Nothing but without standard of coding an expertised user
may damages or corrupt the databases.
To avoid SQL injection attacks:-
1)Use Parameterized Input with Stored Procedures
2)Use the Parameters Collection with Dynamic SQL
3)Filtering Input
4)LIKE Clauses
Is This Answer Correct ? | 2 Yes | 0 No |
Post New Answer View All Answers
Explain filtered indexes benefits?
What is difference between inner join and full join?
How to find the list of fixed hard drive and free space on server?
What is the impact on other user sessions when creating indexes?
Why do we partition data?
How can you append an identity column to a temporary table?
How to turn off warning messages during php execution?
What are the new features introduced in SQL Server 2000? What changed between the previous version of SQL Server and the current version?
What are the difficulties faced in cube development? : sql server analysis services, ssas
Explain having clause?
What is read uncmmited?
Explain what is lock escalation?
How do you debug a procedure in sql server?
Is null in sql server?
Delete duplicate rows without using rowid.