Every now and then I see sites where commands are concatenated and sent to database server.
The author must really trust the user inputs!
For every system built this way, you can expect at least one attack with SQL injection. In some cases you might not be aware of the attack, and sometimes you are aware.
Here is an example of a "friendly" attack, that just promotes a site and when you click the link you execute a javascript who knows do what?
In this link http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=102737
and this http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=101673
there are examples of SQL injection attacks.
As I wrote in the first topic, "What if the attack could have encrypted all columns!".
That would be easy spotted in front-end application.
But what if the attack had scrambled all date columns? How long time would it then take to discover the SQL Injection attack?
I hope this learns all newbies, noobs and beginners to NEVER EVER concatenate string to send to database.
Always use parametrized queries as a first line of defence.
