From the course: SQL Server: Security for Developers
Join today to access over 22,700 courses taught by industry experts or purchase this course individually.
Demo: Dynamic SQL parameterization - SQL Server Tutorial
From the course: SQL Server: Security for Developers
Demo: Dynamic SQL parameterization
- [Instructor] In this demo I wanted to show a few various typical SQL injection attacks. The first one's probably one of the more advanced ones, but we're going to declare V as Varchar 255 that's going to be our parameter. Somebody has passed in an attack or potentially has passed in this hex string that we see here on line four. In this simple example we're just going to go ahead and print that so we're going to see what would happen. And what that generates is sp_helpdb which is a system stored procedure, so on line seven we're going to go ahead and execute that. And what sp_helpdb does is gives us a list of all the databases on a given server. As you can imagine that might be something a hacker would be interested in. If we were executing this code arbitrarily what would happen was the user would get passed back this value in his return from whatever webpage you're using. That would help the attacker better understand the surface area of your server and dive deeper in with its…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
(Locked)
Overview of SQL injection2m 44s
-
(Locked)
SQL injection vulnerabilities3m 44s
-
(Locked)
Writing proper SQL procedures3m 22s
-
(Locked)
Demo: Stored procedures vs. dynamic SQL2m 2s
-
(Locked)
Dynamic SQL and input checking1m 52s
-
(Locked)
Demo: Dynamic SQL parameterization3m 25s
-
(Locked)
External protection around SQL injection3m 30s
-
(Locked)
-
-