http://articles.techrepublic.com.com/5100-10878_11-5083541.html
“SQL Server can encrypt the following components:
l Definitions of stored procedures, views,
triggers, user-defined functions, defaults, and rules
l Data sent between the server and the
client”
“If SQL injection
was just a data exposure vulnerability, it would be bad enough. But in fact a
determined attacker can exploit this mistake to do almost anything. Here's one
nasty example of a bit of SQL that could be injected:
';DROP TABLE Customers;--
The SQL statement then becomes:
SELECT ContactName FROM Customers
WHERE CustomerID = ''
;DROP TABLE Customers;-- '
The semicolon is a statement separator for SQL Server, so there are actually
two statements here. The first selects a nonexistent contact name, and the
second drops the entire Customers table! The double dash (--) is a SQL Server
comment character, which prevents the trailing quote from causing a syntax
error.
Using this variant of the technique, an attacker can run any SQL statement or
stored procedure on your server. By using the xp_cmdshell extended stored procedure,
an attacker can also run operating system commands. Obviously this is a severe
problem.”
So, how do you prevent SQL injection? The
first answer is that you simply can't build WHERE clauses
user comment : i guess if you're expecting
an int, make sure it's an int before you go plugging it into a sql statement.
Dim cId : cId = CLng(Request("CUSTOMER_ID"))
also, i learned this trick from someone, when dealing with strings. replace all
' with '' or with some other character that isn't used as a string delimiter in
sql server, like the ` so if someone tries to log in to a site using sql
injection, you've got them covered. you could also use the HTML XX; equivalent
of ' . Good article!