SQL Injection with ADO parameters

---

• From: "Gaspar" <noreply@xxxxxx>
• Date: Thu, 16 Feb 2006 16:51:43 -0300

---

Is it possible to hack SQL Server with injection via ADO Parameters?

Suppose I have the following query "SELECT * FROM myTable WHERE id =
:param"?
I know that the following is unsafe: "SELECT * FROM myTable WHERE id = " +
value, but what about using parameters like the example above?

Thanks!


.

---

• Follow-Ups:
  • Re: SQL Injection with ADO parameters
    • From: Dan Guzman
  • Re: SQL Injection with ADO parameters
    • From: John 3:16

• Prev by Date: Re: Move 10 DBs and provide dev access thru EM?
• Next by Date: Re: SQL thinks it's Slammer
• Previous by thread: Re: How can I scan for named instances of SQL?
• Next by thread: Re: SQL Injection with ADO parameters
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2006-02