A1 – injection
The injection threat is always based on input data from the user. An interpreter will take this information and, presumably, incorporate the data into the normal flow of a sentence that is to be executed behind the scenes.
So, the key here is that potential attacks should know the engine they're trying to surpass. However, the three main engines mentioned by A1 are SQL, OS, and LDAP, the first one being the most common (and that's why it's the most dangerous).
SQL injection
SQL injection is, perhaps, the most well-known of them all. It's based on some characteristics of the SQL language:
- Several sentences can be linked together, separated by a semicolon (
;
) - You can insert an inline comment with a double dash (
--
) - The programmer doesn't ...
Get Mastering C# and .NET Framework now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.