First, I'm not a database expert. I just want to share a good article of SQL injection.

Most of developers happened to forget to avoid sql injection especially while we are trying to meet tight deadlines. It happened to me frequently



Anyway,hope it's worth to spare your time reading this article.

The hacker breaks into the system by injecting malformed SQL into the query.
This particular hack works because the executed query is formed by the
concatenation of a fixed string and values entered by the user, as shown
here:

string strQry = "SELECT Count(*) FROM Users WHERE UserName='"
+
txtUser.Text + "' AND Password='" + txtPassword.Text +
"'";


In the case of the user entering a valid user name of "Paul"
and a password of "password", strQry becomes

SELECT Count(*) FROM Users
WHERE UserName='Paul' AND Password='password'

But when the hacker
enters

' Or 1=1

the query now becomes:

SELECT Count(*)
FROM Users WHERE UserName= Or 1=1 --' AND Password=

Because a
pair of hyphens designate the beginning of a comment in SQL, the query becomes
simply:

SELECT Count(*) FROM Users WHERE UserName= Or
1=1
The expression 1=1 is always true for
every row in the table, and a true expression or'd with another expression will
always return true. So, assuming there's at least one row in the Users table,
this SQL will always return a nonzero count of records. Not all SQL injection
attacks involve forms authentication. All it takes is an application with some
dynamically constructed SQL and untrusted user input. Given the right
conditions, the extent of damage caused by such an attack may be limited only by
the extent of the hacker's knowledge of the SQL language and the database
configuration.

The whole ariticle including how to prevent sql injection is
here;

http://msdn.microsoft.com/en-us/magazine/cc163917.aspx


Regards,
netsnow