Re: SQL Injection Prevention

From: Shabam (blislecp_at_hotmail.com)
Date: 09/29/04


Date: Wed, 29 Sep 2004 03:32:52 -0700

Ok I've read all of the posts here, and I'm more confused than ever. Sorry but I'm not a database expert, so it's hard for me to follow all the arguments.

However, I do understand the overall concept, which is why I bothered to check the application in the first place.

So the question comes down to this. The programmers have said to me they use dynamic sql inside some of the stored procedures that are used for searching the database.

2 questions:

1) Does this mean the other stored procedures using parametized queries are all safe?

2) What is the most effective way to stop sql injection vulnerabilities from the remaining stored procedures that have dynamic sql in it?