Microsoft® SQL Server™ 2005: Applied Techniques Step by Step

Parameters and Security in Dynamic Queries

Creating queries using values entered by the user is a significant security risk, especially if the application is a public Web site, in which case you don’t know who the user is or how much knowledge the user has. If the user knows about SQL syntax, they can break into your database using a technique known as a “SQL-injection” attack.

How SQL-Injection Attacks Work

Let’s consider a very simple example. Imagine a public Web site that lets the user search for products online. In the site, the application allows the user to find products using part of the name, so it builds and uses a simple dynamic query like this:

SqlDataSource1.SelectCommand = _ "SELECT ProductNumber, Name, ListPrice " _ "FROM Production.Product ...

Get Microsoft® SQL Server™ 2005: Applied Techniques Step by Step now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Microsoft® SQL Server™ 2005: Applied Techniques Step by Step by Solid Quality Learning

Parameters and Security in Dynamic Queries

How SQL-Injection Attacks Work

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly