Created by Kevin Feasel
|We Speak Linux|
SQL injection is not the only injection attack available.
An injection attack is when you insert code in a manner the application developers did not expect.
Example: your text box populates @Parameter to do a lookup on a table. An attacker overloads @Parameter to perform some unexpected operation.
Another way of thinking about injection attacks: getting "outside" the parameter.
Because of how easy it is to stop SQL injection, your application being susceptible indicates that you may have bigger problems, like:
There is one and only one way to protect yourself against SQL injection: parameterize your queries.
To learn how to do this for non-ASP.Net solutions, go to http://bobby-tables.com.