Re: SQL Injection Prevention

From: Tibor Karaszi (tibor_please.no.email_karaszi_at_hotmail.nomail.com)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 12:14:52 +0200

I was assuming the usage of command and parameter objects from the client side. I should have
mentioned that explicitly.

I did mention, however, "Provided you don't use dynamic SQL in your stored procedures". 

-- 
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
"Valery Pryamikov" <Valery@nospam.harper.no> wrote in message
news:edARxOTpEHA.3520@TK2MSFTNGP11.phx.gbl...
> SQL injection is not something specific to calling stored procedures or
> executing select sql statement - its about feeding user input to SQL parser.
> period.
> If you construct call to stored procedure as callSpCommand = "execute
> sp_something('" & request.queryString("UserName") & ");", then it is
> vulnerable to sql injection. From the other side, if you use parameter
> placeholder in SQL string (? or @paramname), than no matter if it is a
> select statement or execution of stored procedure, you have the same level
> of protection against SQL injection.
> You can check my blog post that I refered in my prevoius post ot that
> thread.
>
> -Valery
> http://www.harper.no/valery
>
>
> "Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> wrote in
> message news:ujkDKFTpEHA.2340@TK2MSFTNGP11.phx.gbl...
> > Provided you don't use dynamic SQL in your stored procedures, AFAIK, you
> > won't get SQL injection if
> > you use stored procedures. I'm no security expert so I'm open to critique
> > here (preferably with a
> > repro ;-) ).
> >
> > -- 
> > Tibor Karaszi, SQL Server MVP
> > http://www.karaszi.com/sqlserver/default.asp
> > http://www.solidqualitylearning.com/
> >
> >
> > "Shabam" <blislecp@hotmail.com> wrote in message
> > news:oYmdnU2TE6UphcTcRVn-tQ@adelphia.com...
> >> > Why not use stored procedures?
> >>
> >> Stored procedures are currently being used, but still, that's no
> >> guarantee
> >> that sql injections can't take place right?  Are you saying with stored
> >> procedures, all user input sent to a stored procedure will not cause sql
> >> injection?
> >>
> >>
> >
> >
>
>

Relevant Pages

  • How do I do Paging through a large dataset via Stored Procedures
    ... Paging by dynamically altering the SQL Query ... Create stored procedures ... SELECT * FROM STUDENTS ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: how to code to avoid SQL insertion attacks
    ... Stored procedures have absolutely nothing to do with SQL injection ... vulnerable to SQL injection as someone executing SQL select statements. ... JDBC and prepared statements. ...
    (comp.lang.java.programmer)
  • Re: Triple Whammy Newbie Question - abstracting connections/commands
    ... performing all of the necessary validation up front. ... So an SQL injection would never ... >>or stored procedures and create your SQL statements on the fly. ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: SQL Injection Prevention
    ... I was assuming the usage of command and parameter objects from the client side. ... I did mention, however, "Provided you don't use dynamic SQL in your stored procedures". ... > vulnerable to sql injection. ...
    (microsoft.public.sqlserver.server)
  • Re: Help with Stored Procedure
    ... I did mean stuff like system stored procedures (even ... build the query, compile it, and optimize it, then, then this is less ... very not easy using dynamic sql. ...
    (microsoft.public.sqlserver.programming)