SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. SQL injection attacks are also known as SQL insertion attacks. You can find more information about SQL injection here.
General SQL Parser can help you to defend SQL injection in many ways, this article introduces a basic, simple while effective way to protect your application from SQL attacks.
Most SQL server implementations allow multiple statements to be executed with one call in this way,
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
General SQL Parser can parse a SQL script to determine if there are two or more commands(Code in C#). It can tell you that there are three SQL commands
in previous SQL script with command type of SELECT, DROP TABLE and SELECT accordingly.
Parsing every SQL script using General SQL Parser prior to execution will prevent attackers from injecting entirely separate queries like this.
Of course, General SQL Parser can process complex SQL correctly, and allow statements such as:
SELECT *
If you have any questions about using General SQL Parser to defend SQL injection, You can always send us an email and we'll get back to you within 24 hours.
Yes, of course. We collect all kinds of examples in this page to illustrate how and why you want to use general sql parser, hope it can help you to make better use of this library.
