Re: security and stored procedures

From: Grant Case (hangtime79_at_DONThSoPtAmMail.com)
Date: 03/16/04 

Date: Mon, 15 Mar 2004 20:43:49 -0600

True (as long as stored procedure is written correctly and did not use
dynamic SQL),

A number of different factors contribute to the security of a stored
procedure over straight updates and selects. First off, security is defined
at the time of creation. I as an administrator can create the proc and
grant you the user the rights to use it. I don't have to grant you the
underlying table rights in order to run the procedure. With a procedure, I
define how the selects occur...can append where clause values (in the
procedure based upon parameters) to ensure you can't see anything futher
then what you are supposed to and SIGNFICANTLY reduce the chances for SQL
injection attacks especially when used in conjunction with app roles.
Stored procedures are excellent tools to ensure the security of the
application. Of course, if you use dynamic SQL in your procedure all bets
are off because you just had to open up the underlying tables in to you the
user in order for the procedure to function correctly. You can find a great
deal more information in the BOL on this subject.

HTH,
Grant

"toylet" <toylet_at_mail.hongkong.com> wrote in message
news:%2398ImwuCEHA.2628@TK2MSFTNGP11.phx.gbl...
>
> Using stored procedures to retrieve/update data would be more secured
> than enabling a user to do it.
>
> Truth? Myth?
>
> --
> .~. Might, Courage, Vision. In Linux We Trust.
> / v \ http://www.linux-sxs.org
> /( _ )\ Linux 2.4.22-xfs
> ^ ^ 8:16am up 3 days 11:41 load average: 1.00 1.00 0.97

Relevant Pages

  • Re: Help with Stored Procedure
    ... better to avoid dynamic SQL calls altogether. ... the programmers decide to use regular stored procedures. ... > instead of a single wrapper using the so evil dynamic query. ... >> No one hopefully has said that good security is not possible using ...
    (microsoft.public.sqlserver.programming)
  • Re: Dynamic SQL Performance
    ... For me it primarily comes down to security concerns: Dynamic SQL leaves ... especially stored procedures that ...
    (microsoft.public.sqlserver.programming)
  • Re: Looking for help against Chinese Hacking Team
    ... What I wrote was "properly designed Parameterized Stored Procedures" not Stored Procedures or Parameterized Stored Procedures. ... If you do a really bad job then you might be open to serious SQL Injection. ... OWASP is the Open Web Application Security Project and it offers ...
    (Pen-Test)
  • Re: SQL Injection Prevention
    ... > under the impression that all stored procedures contain dynamic SQL. ... more than 1.5 MLoC of Fortran code + more than 1.2 MLoC of C++ ...
    (microsoft.public.sqlserver.server)
  • Re: SQL Injection Prevention
    ... > under the impression that all stored procedures contain dynamic SQL. ... more than 1.5 MLoC of Fortran code + more than 1.2 MLoC of C++ ...
    (microsoft.public.dotnet.security)