Originally Posted by
cicatrix
I still can't see how your example in the post #10 gets around the SQL injection risk.
The difference is that your code is processed on the client, while mine is processed on the server. You are inserting literal values into the SQL code first, then sending that SQL code to the server. Let's say that you have this code:
vb.net Code:
Dim query = "SELECT * FROM SomeTable WHERE SomeColumn = '" & someTextBox.Text & "'"
If the user then types the following into that TextBox:
Code:
'; DELETE FROM SomeTable; SELECT * FROM SomeTable WHERE SomeColumn = '
That literal string will be inserted into your SQL code before sending it to the server, so the actual SQL code you execute will be:
Code:
SELECT * FROM SomeTable WHERE SomeColumn = ''; DELETE FROM SomeTable; SELECT * FROM SomeTable WHERE SomeColumn = ''
Congratulations! You just deleted every record in your table courtesy of SQL injection.
Now, if you had used a parameter:
vb.net Code:
Dim query = "SELECT * FROM SomeTable WHERE SomeColumn = @SomeColumn"
then that is the SQL that would be sent to the server. The server would then compare the value of the parameter, i.e. the value the user entered, to the values in the SomeColumn column. That value is treated as text rather than executed as SQL code, so no harm can be done.
Reply With Quote