Share via

SQL Injection

Prancer Io 21 Reputation points
2020-09-21T05:16:19.28+00:00

What is SQL Injection and How to Prevent Attacks?

SQL Server | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erland Sommarskog 133.9K Reputation points MVP Volunteer Moderator
    2020-09-21T21:55:09.653+00:00

    SQL Injection can occur when you build statements by concatenating user input into SQL statements, for instance: 

    stmt = "INSERT tbl (a, b) VALUES('" + a.text + "','" + b.text + "')"

    The this permits the user to enter something with a single quote and all of a sudden there is a different statement. This is a very bad coding pattern which you must never use.

    I have an article on my web site where I discuss dynamic SQL, and it includes a section of how to write parametrised statements and there is also a chapter on SQL injection. You find it here: http://www.sommarskog.se/dynamic_sql.html.

    0 comments
  2. AmeliaGu-MSFT 14,011 Reputation points Microsoft External Staff
    2020-09-21T07:45:52.947+00:00

    Hi @Prancer Io ,

    SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives.

    To prevent SQL injection, please refer to the following articles which might help:
    SQL Injection: Detection and prevention
    SQL Injection Tutorial: Learn with Example
    Best Regards,
    Amelia

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.