Re: Preventing Injection - Client Side

From: Dan Guzman (guzmanda_at_nospam-online.sbcglobal.net)
Date: 11/10/05

Next message: resant_v_at_yahoo.com: "How to Run Job without Sysadmin Role"
Previous message: David Gugick: "Re: Preventing Injection - Client Side"
In reply to: willy: "Preventing Injection - Client Side"
Next in thread: Willy: "Re: Preventing Injection - Client Side"
Reply: Willy: "Re: Preventing Injection - Client Side"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 9 Nov 2005 19:24:16 -0600

> I am preventing everything but characters and numbers in my WHERE
> clauses and data to prevent injection.

Consider using parameters rather than concatenating user-supplied values to
build the SQL statement. This is more secure.

-- 
Hope this helps.
Dan Guzman
SQL Server MVP
"willy" <willrich33@yahoo.com> wrote in message 
news:1131557696.739603.25830@g14g2000cwa.googlegroups.com...
> Thanks
>
> I am building an office application which uses Microsoft Access as a
> client and SQL Server as the server.  I am new to SQL Server and I
> don't want to anything that is too stupid.  I am assuming the db
> administrator would create a database specifically for this
> application.  The program must be able to create and drop tables and
> works fine when hosted over the internet.
>
> I am preventing everything but characters and numbers in my WHERE
> clauses and data to prevent injection.
>
> But besides this measure, the program has these access/security
> needs/issues.
>
> Tables - Create Drop Read Write
> SPs -- Create Execute
>
> In addition the program needs to read from
>
> system_user
> db_name()
>
> information_schema.tables
> Information_schema.columns
> sysobjects
>
> Am I doing anything too stupid if the admin would prefer a more secure
> situation, maybe on a company database?
>
> Willy
>

Next message: resant_v_at_yahoo.com: "How to Run Job without Sysadmin Role"
Previous message: David Gugick: "Re: Preventing Injection - Client Side"
In reply to: willy: "Preventing Injection - Client Side"
Next in thread: Willy: "Re: Preventing Injection - Client Side"
Reply: Willy: "Re: Preventing Injection - Client Side"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Stored proc with version number ?
... in addition to letter characters from other languages. ... Certain symbols at the beginning of an identifier have special meaning ... in SQL Server. ... I choose> the existing stored proc uspTableSave and right click Properties. ...
(microsoft.public.sqlserver.programming)
Re: Can you use osql in DTS?
... each one of these queries has in it the same first 18 characters (or ... it from Query #3. ... > Columnist, SQL Server Professional ...
(microsoft.public.sqlserver.dts)
Re: Can you use osql in DTS?
... each one of these queries has in it the same first 18 characters (or ... it from Query #3. ... > Columnist, SQL Server Professional ...
(microsoft.public.sqlserver.programming)
Re: sendStringParameterAsUnicode: How to insert unicode data corre
... We are using SAP XI and connecting it to SQL Server 2005 using JDBC. ... The destination columns are nvarchar and store unicode data correctly. ... is unable to display the characters you have. ...
(microsoft.public.sqlserver.jdbcdriver)
Re: How much space does the long character data type use.
... > than 11 characters in the EMPLID field. ... >>Look inside your SQL Server files with SQL File Explorer. ... How does this data type utilize disk space? ...
(microsoft.public.sqlserver.server)