You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The language idioms for avoiding SQL injection which are described here are for use in the application layer -- a programming language / runtime connects to a database server and issues commands, and those commands must not be constructed by concatenating commands and raw user input.
However, if the database system supports it, concatenating input and commands into a new command and executing the new command can also be done on the database side (e.g. within a stored procedure), and is also vulnerable:
CREATE PROCEDURE dbo.GetStudent @FirstName NVARCHAR(255)
ASBEGIN
EXECUTE ('SELECT * FROM Students WHERE FirstName = \''+ @FirstName +'\'')
END
because of the following call:
EXECUTE @FirstName ='Robert\'; DROP TABLE Students; --'
The text was updated successfully, but these errors were encountered:
The language idioms for avoiding SQL injection which are described here are for use in the application layer -- a programming language / runtime connects to a database server and issues commands, and those commands must not be constructed by concatenating commands and raw user input.
However, if the database system supports it, concatenating input and commands into a new command and executing the new command can also be done on the database side (e.g. within a stored procedure), and is also vulnerable:
because of the following call:
The text was updated successfully, but these errors were encountered: