Call now: (800) 766-1884  


 SQL Server Tips
 SQL Server Training

 SQL Server Consulting
 SQL Server Support
 SQL Server Remote DBA

 SQL Server Scripts
 Scripts Menu




  SQL Server Tips by Gama and Naughter

SQL Injection

SQL Injection is a hacking technique that consists of inserting code with input data. When that input is appended to a SQL query, the effect that was supposed to be a simple filtering becomes a different filtering where a logical expression becomes always true or it returns all data when it should not. There is also the possibility of executing arbitrary TSQL code.

This attack is performed in two situations:

  • To gain access to a server, usually a web server because most websites use a database for user authentication. By stealing the administrator password it might be possible to access tools that allow online administration of the server. The database server is also vulnerable because it might be possible to execute code or to obtain information to help cracking the SQL Server passwords.
  • To execute TSQL code that will cause a denial of service or to corrupt data, probably when the other type of attack fails. Users who access the database through a web application or any other indirect form should not have permissions that would allow extensive damage.

If you cannot or do not want to check the tests with ASP or PHP, you can still try the SQL injection methods explained in this section from SQL Query Analyzer by skimming through the web application sections and using the SP from the SQL injection in the dynamic SQL section.

Example: A web application that returns the products from the Northwind database with a certain category name submitted by any surfer with no authentication. After all, the page provides a search service and the users can define a filter for a SELECT statement and the data is not updated, inserted or deleted from the page.

The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter  


Burleson Consulting Remote DB Administration







Burleson is the America's Team

Note: The pages on this site were created as a support and training reference for use by our staff of DBA consultants.  If you find it confusing, please exit this page.

Errata?  SQL Server technology is changing and we strive to update our SQL Server support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:and include the URL for the page.

Burleson Consulting
SQL Server database support


Copyright 1996 -  2013 by Vaaltech Web Services. All rights reserved.

Hit Counter