If put the following string in the SSN text box
' ; DROP DATABASE pubs --
Using the input, the application executes the following stored procedure, which internally executes a similar SQL statement.
SqlDataAdapter myCommand = new SqlDataAdapter(
"LoginStoredProcedure '" +
SSN.Text + "'", myConnection);
The code INJECT into the user's malicious input and generates the following query.
SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE pubs --'
Reference:
How To: Protect From SQL Injection in ASP.NET
No comments:
Post a Comment