On Jun 25, 2011, at 1:35 PM, Ken Dibble wrote:
>> And THAT is sql injection. It crashes your application.
>
> I guess. It doesn't crash the server, just the data-entry front-end. And it
> wouldn't have to do that if I wrapped it in a TRY... CATCH and just
> returned "Invalid Entry" when it happened.
>
> So it only crashes one desktop app--what good does that do anybody?
>
> I think you're stretching here. *LOL*
SQL injection can do all sorts of damage: it can simply delete all of
your data; it can reveal admin passwords, employee information, etc. In
essence, it enables bad guys to execute any data command they want.
The rule to follow is always to sanitize inputs from users. Every DB
out there has a function for escaping special characters; always make sure that
every piece of text from outside the program is run through these methods
before passed to the database for execution.
-- Ed Leafe
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
