Re: SQL Injection Prevention

From: Valery Pryamikov (Valery_at_nospam.harper.no)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 17:40:10 +0200

> You would need to compare that against someone building an sql statement
> to
> execute the parameterised query which I guess would have the same
> vulnerability.
let me say it another way. Think of following highly hypothetic situation:
You are contractor. You are brought to build a web site. You are a great
programmer that follows all good programming practices and you never
introduce SQL injection vulnerabilities into your code. But due to some
reason you were not given access to code of stored procedures in database.
In this case when you write parameterized DML statements (like select) you
are better protected against introducing SQL injection vulnerability than
when you are calling some blackbox stored procedure even so you are using
parameters...
This is highly hypothetic situation that isn't likely to happen, but it
could happen, therefore my statement stays.

-Valery.
http://www.harper.no/valery

"Nigel Rivett" <sqlnr@hotmail.com> wrote in message
news:A4E3EE76-C1ED-4FE5-A511-253DE56D4D2A@microsoft.com...
> Just noticed you said
>>> in Oracle you have possibility to
> Missed "possibility" on first reading. Sure you can do that in a stored
> procedure but it would be a last resort and you would be very careful
> about
> the way you implemented it and what had access to it.
>
> You would need to compare that against someone building an sql statement
> to
> execute the parameterised query which I guess would have the same
> vulnerability.
>

Quantcast