Skip to content

Instantly share code, notes, and snippets.

@gbdavid2

gbdavid2/AdventureWorksCS-SOH5.sql

Last active February 19, 2017 20:27
Show Gist options
  • Save gbdavid2/1e6b4e931894b5cdcfb2 to your computer and use it in GitHub Desktop.
Save gbdavid2/1e6b4e931894b5cdcfb2 to your computer and use it in GitHub Desktop.
Download ZIP
Vulnerable formatted SQL string
Raw
AdventureWorksCS-SOH5.sql
string parameter = "20";
string formatSQL = @"SELECT TOP {0} P.FirstName +' '+P.LastName As ClientName, SOH.OrderDate " +
"FROM Sales.SalesOrderHeader SOH " +
"JOIN Sales.Customer C ON SOH.CustomerID = C.CustomerID " +
"JOIN Person.Person P ON P.BusinessEntityID = C.PersonID " +
"WHERE SalesPersonID = 289 " +
"GROUP BY P.FirstName +' '+P.LastName, SOH.OrderDate " +
"ORDER BY SOH.OrderDate DESC, P.FirstName +' '+P.LastName";
string resultSQL = string.Format(formatSQL, parameter);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment