Hi,
Ill make a quick try...
SQL injection is when you insert a string that completely changes the sql statement.
Consider...
Code:
sSQL="Select * from Employee where manager=" & sYourID & ""
Normally sYourID would contain your employee ID (say... ab123) and in a form or webpage youre supposed to enter it to see who youre supposed to manage (when logging in or somehow else)
Now, if you change the variable sYourID to contain
ab123 or a=a
the SQL statement suddenly becomes
Select * from Employee where manager=ab123 or a=a
which returns all rows since a always equals a.
Its even more interesting to use db specific functions in what you inject....
If you could have sYourID to contain
ab123 or drop table Login or a=a
the table Login might get dropped. And thats not too fun.
If you use parametrized queries you assign the string to a variable that encapsulates (and escapes) the string into one string which means that the first injection statement would get parsed as
Select * from Employee where manager=ab123\ or \a\=\a
(assuming \ is the escape characted) the databse would then look for that manager ID and it wouldnt be found and no rows would be returned.
Soooo, the bottom line.
If you have direct user interaction with your SQL, use parameters (or check terribly THOROUGHLY). Its a lot safer but you cant see the actual SQL anywhere in your IDE or when you print the SQL
HTH
/Kejpa