SQL injection is nothing but inserting malicious code with the strings an

what is sql injection in sql server?

Question Posted / venkat reddy.ravu

2 Answers
6751 Views
TATA, I also Faced
E-Mail Answers

Answer Posted / venkat reddy.ravu

SQL injection is nothing but inserting malicious code with
the strings and later which will pass to the particular SQL
server instances which may damage the database or may
corrupt bthe data

For exaple:

var EmpName;
EmpName= Request.form ("EmpName");
var sql = "select * from Employee where EmpName= '" +
EmpName+ "'";

If you considers the above query and if user prompts to
enter the input as Scott,

Then query processed like this

select * from Employee where EmpName='Scott'

If user enters the input as below,

Scott,drop table Employee
In this case your query will be processed as below

select * from Employee where Ename='Scott',drop table emp

So,first select statement will be executed and then table
will be dropped.

Nothing but without standard of coding an expertised user
may damages or corrupt the databases.

To avoid SQL injection attacks:-
1)Use Parameterized Input with Stored Procedures
2)Use the Parameters Collection with Dynamic SQL
3)Filtering Input
4)LIKE Clauses

Is This Answer Correct ?

2 Yes

0 No

Post New Answer View All Answers

Please Help Members By Posting Answers For Below Questions

How efficient you are in oracle and SQL server?

1258

Can one drop a column from a table?

1090

How can I check that whether automatic statistic update is enabled or not?

1113

do you know how to configure db2 side of the application? : Sql server database administration

1125

What are different types of constraints?

1002

Does view occupy space?

1021

How to rebuild the master database?

1167

What is clustered index

1087

What is a view in sql?

1043

Why should you use or avoid select * statements?

1111

What are the pros and cons of putting a scalar function in a queries select list or in the where clause?

1300

What are the source of constraints?

1010

This question asked during interview, 2) At the end of each month, a new table is created for each bank that contains monthly metrics consolidated at the account level. The table naming convention is bankX_YYYYMM where X represents the numeric designation of the bank and YYYYMM indicates the 4 digit year and 2 digit month. The tables contain the following fields: name data type description account text account number registered boolean indicates whether the account is registered num_trans integer number of transactions made during the time period spend numeric(9,2) total spend during the time period a) Write a SQL query that will display the total number of transactions and total spend for "Bank1" during the 4th quarter of 2009. b) Write a SQL query that will display the total number of transactions and total spend at "Bank1" and "Bank2", broken out by registered vs. non-registered accounts, during January 2010 not sure what is correct answer and how to solve?

2568

Why and when do stored procedure recompile?

1064

Can sql servers link to other servers like oracle?

918