Re: SQL Injection with ADO parameters
- From: "John 3:16" <bobmcc@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 17 Feb 2006 13:33:23 -0500
Gaspar, Try something like this...
--ADO algorithm to fire sp with input params
Dim oCmd As Command, param As Parameter
Dim cn As New ADODB.Connection, sqlString As String
sqlString = "YourStoredProc"
Set oCmd = New ADODB.Command
Set cn = CurrentProject.Connection
Set oCmd.ActiveConnection = cn
oCmd.CommandText = sqlString
oCmd.CommandType = adCmdStoredProc
oCmd.CommandTimeout = 15
Set param = New ADODB.Parameter
param.Type = adChar
param.Size = 8 ' 3 bytes
param.Direction = adParamInput
param.Value = YourParam
param.Name = "Param1"
oCmd.Parameters.Append param
oCmd.Execute , , adExecuteNoRecords
"Gaspar" <noreply@xxxxxx> wrote in message
news:upRZrJzMGHA.3728@xxxxxxxxxxxxxxxxxxxxxxx
Is it possible to hack SQL Server with injection via ADO Parameters?
Suppose I have the following query "SELECT * FROM myTable WHERE id =
:param"?
I know that the following is unsafe: "SELECT * FROM myTable WHERE id = " +
value, but what about using parameters like the example above?
Thanks!
.
- References:
- SQL Injection with ADO parameters
- From: Gaspar
- SQL Injection with ADO parameters
- Prev by Date: Re: Move 10 DBs and provide dev access thru EM?
- Next by Date: Backup-Restore on Encrypted Columns
- Previous by thread: SQL Injection with ADO parameters
- Next by thread: Re: SQL Injection with ADO parameters
- Index(es):
Relevant Pages
|
|
