Re: SQL Injection with ADO parameters

---

• From: "Dan Guzman" <guzmanda@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sat, 18 Feb 2006 07:40:29 -0600

---

Parameters are much more secure that building strings with concatenation as
long as you also avoid dynamic SQL on the back-end. Also, you get better
performance and don't have to worry about embedded quotes and date
formatting.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Gaspar" <noreply@xxxxxx> wrote in message
news:upRZrJzMGHA.3728@xxxxxxxxxxxxxxxxxxxxxxx

Is it possible to hack SQL Server with injection via ADO Parameters?

Suppose I have the following query "SELECT * FROM myTable WHERE id =
:param"?
I know that the following is unsafe: "SELECT * FROM myTable WHERE id = " +
value, but what about using parameters like the example above?

Thanks!

.

---

• References:
  • SQL Injection with ADO parameters
    • From: Gaspar

• Prev by Date: Re: How can I scan for named instances of SQL?
• Next by Date: Re: SQL thinks it's Slammer
• Previous by thread: Re: SQL Injection with ADO parameters
• Next by thread: Re: SQL thinks it's Slammer
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2006-02