|
database
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
SQL Injection Attack through DDL queryHi,
I am creating database taking database name as input from the user. In database name I am replacing '[' with '[[' and ']' with ']]' and passing it to my query. Query has a sort of placeholder for database name where I use this database name. I am having query in this format: Create database [%s] , where %s will be replaced bt database name. Is there any chance of SQL injection attack in this code. If Injection attacks are possible then please let me know it and possible ways to handle it, so that I can change my code to handle such attacks. Thanks in advance. Pushkar What about setting %S to "SomeDatabase];GO;DROP DATABASE
<AnotherDatabase>;--" That will result in Create database [SomeDatabase];GO;DROP DATABASE <AnotherDatabase>;--"] HTH, Jens Suessmeyer.  |
|||||||||||||||||||||||
Other interesting topics