2.4 Applications - Preventing SQL Injection Attacks - Activity: Parameterized Queries and Error Handling - 2

David-Seis / SecureYourAzureData

17 stars 6 forks source link

2.4 Applications - Preventing SQL Injection Attacks - Activity: Parameterized Queries and Error Handling - 2 #281

Closed Pietervanhove closed 2 years ago

Pietervanhove commented 2 years ago

Run the query below showing how parameterizing the query helps prevent injection strings The query is not correct. Should be DECLARE @Loginid tinyint

SET @Loginid = ''
--user input = '' or 1=1-- 
SELECT * 
FROM Patient
WHERE loginid = @Loginid --parameterized input

SET @Loginid = 3 
--user input = 3
SELECT * 
FROM Patient
WHERE loginid = @Loginid --parameterized input

David-Seis commented 2 years ago

Thank you, the type of handling I was trying to demonstrate is not possible in SQL unless syntax is correct, which is shown. Fixed!