Steve Friedl has written a detailed and comprehensive guide to how to crack into relational-based systems: SQL Injection Attacks by Example. Also included (for those of us on the hook for building these systems) are tips for how to prevent injection attacks.
Comments
Also has to be said that if you must generate programming-language statements on the fly, then you need to convert strings in to string literals anyway. For SQL this means doubling up all the apostrophes (in case someone's log-in name is o'reilly), and then SQL injection should not be possible...
My preference has always been for the application to do all its work via stored procedures; you can then give the database user the applciation connects as no INSERT or UPDATE privileges at all.
Add a comment: