List,

 

Here is a recent paper on how hackers can use the SQL injection technique.

 

 

The SQL Server example appears quite appaling, with a hacker being able to access the O.S. The Oracle example looks bad (select password from dba_users) on the surface, but an ordinary user shouldn't have that table and the password is encrypted anyway. Does anyone know if current versions of SQL Server are this vulnerable?

 

Dennis Williams