The following script shows a simple SQL injection. The script builds an SQL query by
concatenating hard-coded strings together with a string entered by the user:
The user is prompted to enter the name of a city on a Web form. If she enters Chicago, the query
assembled by the script looks similar to the following:
SELECT * FROM OrdersTable WHERE ShipCity = ‘Chicago’
How will you delete the OrdersTable from the database using SQL Injection?
A.
Chicago’; drop table OrdersTable –B. Delete table’blah’; OrdersTable –C. EXEC; SELECT * OrdersTable > DROP –D. cmdshell’; ‘del c:\sql\mydb\OrdersTable’ //