MSSQL LIKE and IN statements in ADO problem
Raja Raman Sundararajan
ram0812 at hotmail.com
Wed Jan 18 12:24:15 EST 2006
Yes, Steve you have a very good point.
Gregarcian, I am using the parameterized SQL to avoid such
vulunerability.
for example in your example use
name = "%'WAITFOR DELAY '00:00:03'--%"
and directly substitute it to the statement
"select * from table_name where name like '%s' " % (name)
The server will have to wait for three seconds and will return all the
rows in the table,
which is unwanted.
I am trying to use parameterized statements to avoid these sort of SQL
injection problems
and have not managed yet to fix the LIKE and IN statement problems.
/Raja Raman
More information about the Python-list
mailing list