Re: Error Handling.

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

You have to grant execute to the stored procedure. If someone can
figure out the signature and has the permissions, they can execute the
stored procedure, which itself executes under the permissions of a
more highly trusted account. If you don't validate input parameters,
then the sproc can be executed with bad data. If you've concatenated
parameter values using dynamic SQL inside the sproc, then you're
vulnerable to injection attacks.

--Mary

On Tue, 25 Mar 2008 19:45:14 -0400, "Noor" <naissani@xxxxxxxxxxx>
wrote:

As you said.... you have to protect against an attack that happens outside
of the boundaries of your application.

How stored procedures envoked against an attack that happens outside of the
boundaries of your application.?

Thanks
Noor


"Mary Chipman [MSFT]" <mchip@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:957iu315lvjmqeph0hb90sgpcmcp4feiru@xxxxxxxxxx
sorry, sent too soon.

You need to do both.

Error handling on the client prevents you from sending invalid
commands to the server, saving network bandwith and avoiding
triggering server-side errors, which are expensive. Treat all user
input as untrusted by validing input parameters, etc.

Error handling in your sprocs is necessary for performance, security
and data integrity. So you need to validate the data passed to the
server a second time -- you have to protect against an attack that
happens outside of the boundaries of your application.

--Mary

On Tue, 25 Mar 2008 07:48:01 -0700, Rogers
<Rogers@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I would appreciate if anyone can let me know which approach is the best
for
doing error handling.

From APPLICATION or FROM Database.

Application calls all the stored procedure but application is doing error
handling, I am pretty much concern about locking and all that? can anyone
give me an idea about error handling from application side.

Thanks

.

Relevant Pages

  • Re: Logon failed for user ". but only for membership tables in same database that other request wor
    ... I was able to log on to computer b and execute the stored procedure. ... was no error after I corrected the permissions for the user. ... I can access the stored procedure but I can not use membership.validateuser. ... You may use the GRANT statement to grant the EXECUTE permission for a ...
    (microsoft.public.sqlserver.security)
  • Re: Executing dynamic select statement in a SP
    ... EXECUTE permissions for a stored procedure default to the owner of the ... the statementwithin the EXECUTE string are checked at the time EXECUTE ... > everything works just fine but with dynamic SQLs when I ...
    (microsoft.public.sqlserver.security)
  • With in a SP Truncate dbo.table table-name permissions..
    ... If i give execute permission to this ... truncate table permissions on the table. ... If a user who creates a stored procedure does ... not qualify the name of the tables referenced in SELECT, ...
    (microsoft.public.sqlserver.security)
  • Re: SET IDENTITY_INSERT Privileges?
    ... on the stored procedure to get around this. ... stored procedure and the user has execute permissions on the ... How do I grant permission to a SET Statement?? ...
    (microsoft.public.sqlserver.security)
  • Re: app role has exec permission but still cant execute sp
    ... that the stored procedure references in it's code. ... ADO connection sometimes opens a new connection to the server if the first ... > The stored procedure which I can't execute is below, ... >>> well as some users with no permissions. ...
    (microsoft.public.sqlserver.security)