SQL Injection - MsSQL
- Risk:
High
- Type:
- Active
- CWE:
- CWE-89
- Summary
SQL injection may be possible.
- Solution
Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side. If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?' If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries. If database Stored Procedures can be used, use them. Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality! Do not create dynamic SQL queries using simple string concatenation. Escape all data received from the client. Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input. Apply the principle of least privilege by using the least privileged database user possible. In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact. Grant the minimum database access that is necessary for the application.
AWS outage crashes Amazon, Prime Video, Fortnite, Perplexity and more
Oracle silently fixes zero-day exploit leaked by ShinyHunters
CISA: High-severity Windows SMB flaw now exploited in attacks
Hard-coded credentials found in Moxa industrial security appliances, routers (CVE-2025-6950)
Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT
New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs
CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw
Hackers exploiting critical "SessionReaper" flaw in Adobe Magento
Over 75,000 WatchGuard security devices vulnerable to critical RCE
Russian hackers evolve malware pushed in "I am not a robot" captchas
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-55177 Meta Platforms WhatsApp Incorrect Authorization Vulnerability
CVE-2007-0671 Microsoft Office Excel Remote Code Execution Vulnerability
Free online web security scanner