Re: SQL Injection Prevention

From: Valery Pryamikov (Valery_at_nospam.harper.no)
Date: 09/28/04

Next message: Valery Pryamikov: "Re: SQL Injection Prevention"
Previous message: Valery Pryamikov: "Re: SQL Injection Prevention"
In reply to: Tibor Karaszi: "Re: SQL Injection Prevention"
Next in thread: Valery Pryamikov: "Re: SQL Injection Prevention"
Reply: Valery Pryamikov: "Re: SQL Injection Prevention"
Reply: Tibor Karaszi: "Re: SQL Injection Prevention"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 28 Sep 2004 10:20:43 +0200

SQL injection is not something specific to calling stored procedures or
executing select sql statement - its about feeding user input to SQL parser.
period.
If you construct call to stored procedure as callSpCommand = "execute
sp_something('" & request.queryString("UserName") & ");", then it is
vulnerable to sql injection. From the other side, if you use parameter
placeholder in SQL string (? or @paramname), than no matter if it is a
select statement or execution of stored procedure, you have the same level
of protection against SQL injection.
You can check my blog post that I refered in my prevoius post ot that
thread.

-Valery
http://www.harper.no/valery

"Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> wrote in
message news:ujkDKFTpEHA.2340@TK2MSFTNGP11.phx.gbl...
> Provided you don't use dynamic SQL in your stored procedures, AFAIK, you
> won't get SQL injection if
> you use stored procedures. I'm no security expert so I'm open to critique
> here (preferably with a
> repro ;-) ).
>
> --
> Tibor Karaszi, SQL Server MVP
> http://www.karaszi.com/sqlserver/default.asp
> http://www.solidqualitylearning.com/
>
>
> "Shabam" <blislecp@hotmail.com> wrote in message
> news:oYmdnU2TE6UphcTcRVn-tQ@adelphia.com...
>> > Why not use stored procedures?
>>
>> Stored procedures are currently being used, but still, that's no
>> guarantee
>> that sql injections can't take place right? Are you saying with stored
>> procedures, all user input sent to a stored procedure will not cause sql
>> injection?
>>
>>
>
>

Next message: Valery Pryamikov: "Re: SQL Injection Prevention"
Previous message: Valery Pryamikov: "Re: SQL Injection Prevention"
In reply to: Tibor Karaszi: "Re: SQL Injection Prevention"
Next in thread: Valery Pryamikov: "Re: SQL Injection Prevention"
Reply: Valery Pryamikov: "Re: SQL Injection Prevention"
Reply: Tibor Karaszi: "Re: SQL Injection Prevention"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Security level to run SP_OA... Procedures
... I'm not sure why you are executing sp_OA* procs here since you can ... sp_OA* procs as well as other master database stored procedures. ... Configure the SQL Agent proxy account. ...
(microsoft.public.sqlserver.security)
How do I do Paging through a large dataset via Stored Procedures
... Paging by dynamically altering the SQL Query ... Create stored procedures ... SELECT * FROM STUDENTS ...
(microsoft.public.dotnet.framework.adonet)
Re: how to code to avoid SQL insertion attacks
... Stored procedures have absolutely nothing to do with SQL injection ... vulnerable to SQL injection as someone executing SQL select statements. ... JDBC and prepared statements. ...
(comp.lang.java.programmer)
Re: Triple Whammy Newbie Question - abstracting connections/commands
... performing all of the necessary validation up front. ... So an SQL injection would never ... >>or stored procedures and create your SQL statements on the fly. ...
(microsoft.public.dotnet.framework.adonet)
Re: SQL Injection Prevention
... I was assuming the usage of command and parameter objects from the client side. ... I did mention, however, "Provided you don't use dynamic SQL in your stored procedures". ... > vulnerable to sql injection. ...
(microsoft.public.sqlserver.server)