RE: Query Question

RE: Query Question

 

  

Actually, this is a cause for SQL Injection. Let me ask you a question:
if you build a dynamic query that takes my text input and puts it in a
clause such as this, what happens when I put the following into the text
box?

";Exec master.dbo.sp_addlogin 'HackAttack', 'MyHack'; Exec
master.dbo.sp_addsrvrolemember 'HackAttack', 'sysadmin'"

Sincerely,


Anthony Thomas, MCDBA, MCSA


-----Original Message-----
From: Joe Bertone
[mailto:mssqldba-ezmlmshield-x21948894.[Email address protected]
Sent: Thursday, August 26, 2004 11:55 PM
To: LazyDBA Discussion
Subject: RE: Query Question

Hi,

It's actually used for to prevent SQL injection when building dynamic
queries.

For example if someone's building a dynamic SQL query based on input
from a web page someone could possible enter this value in the first
field "Test' or 1=1 --" which will return every record in the query
instead of the filtered (AND) records.

By using where 1=1 you could then in your dynamic script test each
variable for a value, and if the value has been selected, then you
generate an AND

Regards,

Joe

-----Original Message-----
From: Satheesh Kumar [mailto:mssqldba-ezmlmshield-x18535652.[Email
address protected]
Sent: Thursday, 26 August 2004 7:40 PM
To: LazyDBA Discussion
Subject: RE: Query Question

Hi,
To handle cases for getting the record count.

Regards,
Satheesh Kumar.S
IT - Application Development
AXA Business Services
Bangalore, India
<<mailto:satheesh.[Email address protected]
Tel No: +91 80 56605198

-----Original Message-----
From: prakash
[mailto:mssqldba-ezmlmshield-x55741692.[Email address protected]
Sent: 26 August 2004 12:10
To: LazyDBA Discussion
Subject: Query Question


Hi All,

Why some people always use 1 =1 in there query. Any reasons behind
this....

Example

Select * from [Table name]
Where 1 =1


Thanks
Prakash Zalkikar
SQL DBA
WebDirekt India Pvt LTD
C 1/19 Kumar City, Kalyani Nagar
Pune - 411014
Phone(O):- 91-20-27031240
Phone(R):- 91-20-27034557
Mobile:- 9422314041
mailto:- p.[Email address protected]






---------------------------------------------------------------------
TO REPLY TO EVERBODY , PLEASE CLICK REPLY-ALL, NOT JUST REPLY
Website : http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html
For additional commands, e-mail: mssqldba-[Email address protected]


This message and any files transmitted with it are
confidential and intended solely for the individual or
entity to whom they are addressed. If you have
received this in error, you should not disseminate or
copy this email. Please notify the sender immediately
and delete this email from your system.

Please also note that any opinions presented in this
email are solely those of the author and do not
necessarily represent those of AXA Business Services.

Email transmission cannot be guaranteed to be secure,
or error free as information could be intercepted,
corrupted, lost, destroyed, late in arriving or incomplete
as a result of the transmission process. The sender
therefore does not accept liability for any errors or
omissions in the contents of this message which arise
as a result of email transmission.

Finally, the recipient should check this email and any
attachments for viruses. AXA Business Services
accept no liability for any damage caused by any virus
transmitted by this email.



---------------------------------------------------------------------
TO REPLY TO EVERBODY , PLEASE CLICK REPLY-ALL, NOT JUST REPLY
Website : http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html
For additional commands, e-mail: mssqldba-[Email address protected]





---------------------------------------------------------------------
TO REPLY TO EVERBODY , PLEASE CLICK REPLY-ALL, NOT JUST REPLY
Website : http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html
For additional commands, e-mail: mssqldba-[Email address protected]




***********************************************************************
NOTICE: This electronic mail message and any attached files are
confidential. The information is exclusively for the use of the
individual or entity intended as the recipient. If you are not the
intended recipient, any use, copying, printing, reviewing, retention,
disclosure, distribution or forwarding of the message or any attached
file is not authorized and is strictly prohibited. If you have received
this electronic mail message in error, please advise the sender by reply
electronic mail immediately and permanently delete the original
transmission, any attachments and any copies of this message from your
computer system.
***********************************************************************

MS Sql Server LazyDBA home page