Let's say you have a text field on some application that's used to be part of a SQL select statement like "SELECT " + txtField.Text() + " FROM [Some_Table];"
What if the user entered "(DELETE *)" or some other insert, update, etc. in the text field? Is there any way it could embed the statement and really mess things up in your database?Yes. Google for "SQL injection". And vow never again to build your SQL like that; use bind variables to pass user input to the SQL engine. This also makes the database perform better AND makes your SQL easier to write:
"SELECT ? FROM [Some_Table]"
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment