db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Müller <sp...@online.de>
Subject Precautions against "SQL Injection"?
Date Wed, 16 Sep 2009 07:00:33 GMT
Hello,

are there any precautions against  SQL Injection?

Example (http://de.wikipedia.org/wiki/SQL_Injection):

User enters the value 
    sql' ;GO EXEC cmdshell('format C') --
which leads to execution of statement
    SELECT url, title FROM myindex 
    WHERE keyword 
    LIKE '%sql' ;GO EXEC cmdshell('format C') --%'   
instead of
    SELECT url, title FROM myindex 
    WHERE keyword 
    LIKE '%sql%'

Best regards,
Markus Müller

-- 
Markus Müller, Karlsruhe, www.mm65.de

---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org


Mime
View raw message