I've been wondering if SQL injections are still a possible threat for everyday, normal websites, with parameterized SQL. (ASP.NET - '@0').
If it is still a threat, how would crackers override or get around these parameters?
According to OWASP, it was still the top threat in 2013 (long after ASP.NET came out): https://www.owasp.org/index.php/Top_10_2013-A1-Injection
Parameterized SQL doesn't remove the need to worry about SQL injection. I have worked at a company where previous developers created stored procedures that took a string as a parameter, created some dynamic SQL including that string and executed it. They had claimed it was safe because it was parametised, but I was able to show that I could pass SQL code into the stored proc and have it executed.
Also, claiming that you are safe from SQL injection because you use a language that supports parameters doesn't mean that you are using parameters every single time. It only takes one slip up for someone to be able to inject some code into your database.
Yes, SQL injections are still a threat. There are always new vulnerabilities found with these types of things.
Here are some reasons why injections can still be thought of as a threat.
Those are just a few. Remember though, if you're going to be using an SQL database. Make sure that you consider the vulnerabilities in your project before you let the public use it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.