Another Believer! (EXEC sp_name param, 'param') -Not!

Vis-a-vis my last number on why not to use "Exec spname paramvalue" etc. -- my friend figured out that all the places he was doing new SqlDataAdapter("exec mysp 1,5 'hello'"); are open to SQL injection attack (he thought they were immune to it). Why? Simple- if an attacker can get access to the SQL string they can just add ";DELETE TABLENAME". DOH!

So now he is happily rewriting everything to use SqlHelper and turning all those inline text strings into object[] parms={1,5,'hello'}; object arrays.

You see that? You are only dumb when you think you know everything....

Comments

Popular posts from this blog

Some observations on Script Callbacks, "AJAX", "ATLAS" "AHAB" and where it's all going.

IE7 - Vista: "Internet Explorer has stopped Working"

FIREFOX / IE Word-Wrap, Word-Break, TABLES FIX

System.Web.Caching.Cache, HttpRuntime.Cache, and IIS Recycles

FIX: Requested Registry Access is not allowed (Visual Studio 2008)