Re: Is it possible to sql inject this code?

From: "Dan Guzman" <guzmanda@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 20 Jan 2006 19:26:41 -0600

To add to Uri's response, injection vulnerability often exists in
application code. Consider the case where the client app builds a SQL
statement string using values supplied by the user:

strSQL = "EXEC Sp_Login '" & textBoxUserName * "', '" & textBoxPassword &
"'"

You can use parameterized queries to help prevent injection.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Dixon" <vijaydixon@xxxxxxxxx> wrote in message
news:1137662421.965015.301250@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Is it possible to sql inject this code?
> ------------------------------------------------------------------------------------------------------------------------------------------------
>
> ALTER PROCEDURE Sp_Login
> (@username as nvarchar(100),@password as nvarchar(100))
> AS
> select count (*)from Tablename where Username=@username and
> Password=@password
>
>
> RETURN
> ------------------------------------------------------------------------------------------------------------------------------------------------
>

.

Follow-Ups:
- Re: Is it possible to sql inject this code?
  - From: Dan Guzman

References:
- Is it possible to sql inject this code?
  - From: Dixon

Prev by Date: Re: Cached Credentials & Database Diagrams
Next by Date: Re: Is it possible to sql inject this code?
Previous by thread: Re: Is it possible to sql inject this code?
Next by thread: Re: Is it possible to sql inject this code?
Index(es):
- Date
- Thread

Relevant Pages

Official release of SQL Power Injector 1.2
... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
(Bugtraq)
Official release of SQL Power Injector 1.2
... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
(Pen-Test)
Official release of SQL Power Injector 1.2
... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
(Security-Basics)
[Full-disclosure] OTRS 1.x/2.x Multiple Security Issues
... OTRS, the Open Source Ticket Request System, is a trouble ... ranging from cross site scripting to SQL injection. ... A malicious user may be able to conduct blind SQL code ... an attacker may be able to exploit this issue. ...
(Full-Disclosure)
Official release of SQL Power Injector 1.1
... I have the pleasure to announce that a new version of SQL Power Injector is now officially available on my web site: ... For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal ... Response of the SQL injection in a customized browser ...
(Pen-Test)