Re: Is it possible to sql inject this code?

---

• From: "Dan Guzman" <guzmanda@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 20 Jan 2006 19:39:44 -0600

---

I forgot to mention that you shouldn't prefix user stored procedures with
'sp_'. That prefix is for system stored procedures.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Dan Guzman" <guzmanda@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:es789miHGHA.1676@xxxxxxxxxxxxxxxxxxxxxxx
> To add to Uri's response, injection vulnerability often exists in
> application code. Consider the case where the client app builds a SQL
> statement string using values supplied by the user:
>
> strSQL = "EXEC Sp_Login '" & textBoxUserName * "', '" & textBoxPassword &
> "'"
>
> You can use parameterized queries to help prevent injection.
>
> --
> Hope this helps.
>
> Dan Guzman
> SQL Server MVP
>
> "Dixon" <vijaydixon@xxxxxxxxx> wrote in message
> news:1137662421.965015.301250@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> Is it possible to sql inject this code?
>> ------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> ALTER PROCEDURE Sp_Login
>> (@username as nvarchar(100),@password as nvarchar(100))
>> AS
>> select count (*)from Tablename where Username=@username and
>> Password=@password
>>
>>
>> RETURN
>> ------------------------------------------------------------------------------------------------------------------------------------------------
>>
>
>


.

---

• Follow-Ups:
  • Re: Is it possible to sql inject this code?
    • From: Dixon

• References:
  • Is it possible to sql inject this code?
    • From: Dixon
  • Re: Is it possible to sql inject this code?
    • From: Dan Guzman

• Prev by Date: Re: Is it possible to sql inject this code?
• Next by Date: How to add the web server logon
• Previous by thread: Re: Is it possible to sql inject this code?
• Next by thread: Re: Is it possible to sql inject this code?
• Index(es):
  • Date
  • Thread

---

Relevant Pages How do I do Paging through a large dataset via Stored Procedures ... Paging by dynamically altering the SQL Query ... Create stored procedures ... SELECT * FROM STUDENTS ... (microsoft.public.dotnet.framework.adonet) Re: sql injection question ... "Dan Guzman" wrote: ... If ad-hoc SQL must be used, ... When stored procedures are used, ensure the command type stored procedure ... Grant execute permissions (to a database role) on only the stored ... (microsoft.public.sqlserver.security) Re: sql injection question ... To add on to Dan's response, injection prevention is mostly about programming but risk further mitigated with database permissions. ... If ad-hoc SQL must be used, ... Grant execute permissions on only the stored procedures required for application functionality. ... (microsoft.public.sqlserver.security) Re: Help with Stored Procedure ... I did mean stuff like system stored procedures (even ... build the query, compile it, and optimize it, then, then this is less ... very not easy using dynamic sql. ... (microsoft.public.sqlserver.programming) Re: choices regarding where to place code - in the database or middle tier ... Sure, the DBMS is a good place for simple referential integrity constraints, ... to 4 separately-running-but-pipelined stored procedures, ... A typical user would enact a 100 or so business functions per day. ... own stored procedures' by storing the SQL for every business query in the DBMS ... (comp.lang.java.databases)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2006-01