Apostrophe's to the rescue
-
Just read this story in the lounge[^]. Reminds me of a true shame... Our 'senior', SQL expert recently wrote some dynamic SQL SP recently. He is fully aware of SQL injection and actually went about it keeping security in the back of his head. This is what he came up with (just his idea, not the query)...
sql_statement = 'select '''@param''' from someTable'
I took a look at the query and asked him what in the hell all those apostrophes where doing there (the thing was full of it, lots of magic going on there!). He said that was to prevent SQL injection. Can you imagine my reaction? I broke it with a single search for "D'artagnan" ;p It was then and there that I (a SQL rookie) thaught him about quotename[^]... :wtf:
It's an OO world.
modified on Tuesday, August 30, 2011 10:23 AM
-
Just read this story in the lounge[^]. Reminds me of a true shame... Our 'senior', SQL expert recently wrote some dynamic SQL SP recently. He is fully aware of SQL injection and actually went about it keeping security in the back of his head. This is what he came up with (just his idea, not the query)...
sql_statement = 'select '''@param''' from someTable'
I took a look at the query and asked him what in the hell all those apostrophes where doing there (the thing was full of it, lots of magic going on there!). He said that was to prevent SQL injection. Can you imagine my reaction? I broke it with a single search for "D'artagnan" ;p It was then and there that I (a SQL rookie) thaught him about quotename[^]... :wtf:
It's an OO world.
modified on Tuesday, August 30, 2011 10:23 AM
-
Very true indeed! I was not aware of them (or perhaps I am, but not of the name). However, I'm not the SQL expert :)
It's an OO world.
-
Very true indeed! I was not aware of them (or perhaps I am, but not of the name). However, I'm not the SQL expert :)
It's an OO world.
