On Thu, Jan 20, 2011 at 4:01 AM, Stephen Russell <[email protected]> wrote:
> SQL injection is a tough thing. When there is no textbox axis and it
> is not via the url you could be safe. It is hard to know how to do it
> and when to NOT use it.
Using sp_executesql() can help:
EXECUTE sp_executesql
N'SELECT * FROM AdventureWorks2008R2.HumanResources.Employee
WHERE BusinessEntityID = @level',
N'@level tinyint',
@level = 109;
--
Paul
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
