Results 1 to 2 of 2
  1. #1
    Join Date
    Mar 2003
    Posts
    130

    Question Unanswered: Running a delete, insert, update SQL statement from a text field

    Let's say you have a text field on some application that's used to be part of a SQL select statement like "SELECT " + txtField.Text() + " FROM [Some_Table];"

    What if the user entered "(DELETE *)" or some other insert, update, etc. in the text field? Is there any way it could embed the statement and really mess things up in your database?

  2. #2
    Join Date
    Sep 2002
    Location
    UK
    Posts
    5,171
    Provided Answers: 1

    Re: Running a delete, insert, update SQL statement from a text field

    Yes. Google for "SQL injection". And vow never again to build your SQL like that; use bind variables to pass user input to the SQL engine. This also makes the database perform better AND makes your SQL easier to write:

    "SELECT ? FROM [Some_Table]"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •