Limit semicolon to prevent SQL injection?

Question

Limit semicolon to prevent SQL injection?

I saw that SQL injection strings are often constructed as follows:

' ; DROP DATABASE db  --

Therefore, if I prohibit the use of semicolons in the inputs of my applications, does this prevent a 100% SQL injection attack?

+5

security sql-injection tsql

asmo Jul 23 '11 at 13:05

source share

6 answers

( ) SQL .

, .

;, (, VARCHAR CHAR, ). SQL, / .

SQL , ( ).

+8

Oded 23 . '11 13:07

, . SQL-. , , .

, , , ', . SQL-.

+4

Gumbo 23 . '11 13:10

SQL- - , . , .

+3

Brian Ball 23 . '11 13:09

, . , sql - - . , regexp sql .

+2

TMS 23 . '11 13:10

it will depend on a lot of things (requests, etc.). you should use prepared instructions for this

+1

marcelog Jul 23 '11 at 13:09

source share

Ralph shillington · Accepted Answer · 2011-07-23T13:09:01+0000

No, this does not prevent SQL injection attacks. Every time you dynamically create SQL, either on the client side or with EXEC inside the stored proc, you run the risk.

Parameterized queries are the preferred way to enter your query into a query.

Limit semicolon to prevent SQL injection?

More articles: