'; DELETE Orders;--
INSERT Favourites (UserID, FriendlyName, Criteria)
VALUES(123, 'My Attack', ''';DELETE Orders;--')
int uid = this.GetUserID();
string friendlyName = this.GetFriendlyName();
string sql = string.Format("SELECT Criteria FROM Favourites "+
"WHERE UserID={0} AND FriendlyName='{1}'",
uid, friendlyName);
SqlCommand cmd = new SqlCommand(sql, this.Connection);
string criteria = cmd.ExecuteScalar();
sql = string.Format("SELECT * FROM Products WHERE ProductName = '{0}'",
criteria);
SqlDataAdapter da = new SqlDataAdapter(sql, this.Connection);
da.Fill(this.productDataSet);
SELECT * FROM Products WHERE ProductName = ''; DELETE Orders;--
hellbringer hat geschrieben:So macht mans auch nicht.
Eher so:
SELECT * FROM `Products` WHERE `ProductName` IN (SELECT `Criteria` FROM `Favourites` WHERE .....)
hellbringer hat geschrieben:Und wenn man Strings vorher immer schön brav escaped, kann sowieso nix passieren.
Mitglieder in diesem Forum: 0 Mitglieder und 19 Gäste