Protecting SQL Server against SQL injection

SQL injection is the action of adding characters to a SQL query in order to modify its action and execute an exploit, such as getting more information, modifying data or data structures, or even getting access to the underlying operating system of the database server. It can happen when a dynamic ad-hoc SQL query is built in the application code.

Since DBMSs such as SQL Server implement a dedicated (more or less) relational language to give access to their content, a web developer needs to know two languages: the client language for the web application, for example ASP.NET or PHP, and the SQL language to query the data. The SQL queries are embedded into the client code, sometimes dynamically built, and ...

Get Microsoft SQL Server 2012 Security Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.