I am junior in sql and all the sql injection and i have some questions.
I have a website, its wrote in ASP.net c#.
Lets say i have HTML Editor and i get the HTML from the client and save it to the db. Now lets say someone try to do sql injection to me, what code he need to put in the HTML to create the sql injection (if its can be...not sure..)?
if he put an sql injection code to my db, and its in the db, i mean he save the html with the sql injection statement, when the code is load in the HTML EDITOR, its can do the sql statement?
- when i say select statement i mean somthing like: select top 10 * from configoration where accountid=10
please advice me, i am a junior so be nice =]
SQL Injection is an issue if you're manually assembling your SQL statements by concatenating the predicate parameters with the rest of your SQL, then submitting that query to the DB. i.e.
If this is how you're assembling your query, then an injection attempt can be made to terminate that statement where the parameter is, then splice in other sql to query out data that was not intended.
You can prevent this by using bind variables (which is better anyway), or wrapping up your queries in stored procs.
i.e. in JDBC (C# is very similar):