Re: SQL Injection Prevention
From: Aaron [SQL Server MVP] (ten.xoc_at_dnartreb.noraa)
Date: 09/29/04
- Next message: Dan Guzman: "Re: SQL Injection Prevention"
- Previous message: Shabam: "Validating a valid URL"
- In reply to: Shabam: "Re: SQL Injection Prevention"
- Next in thread: Dan Guzman: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Sep 2004 09:08:41 -0400
> 1) Does this mean the other stored procedures using parametized queries
are all safe?
Tough to give a blanket answer on this one, because we can't see them.
> 2) What is the most effective way to stop sql injection vulnerabilities
from the remaining stored procedures that have dynamic sql in it?
If you can't rewrite the stored procedures to not use dynamic SQL, then make
sure you validate any input that comes from the user *or* the application
before blindly executing it.
-- http://www.aspfaq.com/ (Reverse address to reply.)
- Next message: Dan Guzman: "Re: SQL Injection Prevention"
- Previous message: Shabam: "Validating a valid URL"
- In reply to: Shabam: "Re: SQL Injection Prevention"
- Next in thread: Dan Guzman: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
