Re: SQL Injection Prevention
From: Mike Epprecht (SQL MVP) (mike_at_epprecht.net)
Date: 09/28/04
- Next message: Mike Epprecht (SQL MVP): "RE: newbie question :Truncate Table side effect"
- Previous message: Mike Epprecht (SQL MVP): "RE: Further Question on American Date Format"
- In reply to: Valery Pryamikov: "Re: SQL Injection Prevention"
- Next in thread: Valery Pryamikov: "Re: SQL Injection Prevention"
- Reply: Valery Pryamikov: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 28 Sep 2004 01:59:04 -0700
Use Parameterized SP's. Is supported by DAO, RDO, ADO and ADO.NET.
As a good example, see the Microsoft "Data Application Block" pattern on the
.NET MSDN site.
Regards
Mike
"Valery Pryamikov" wrote:
> > ...From the other side, if you use parameter placeholder in SQL string (?
> > or @paramname), than no matter if it is a select statement or execution of
> > stored procedure, you have the same level of protection against SQL
> > injection.
> Actually, I'd rather revoke my prev. statement in favor of following:
> if you use parameter placeholder in SQL string (? or @paramname), then sql
> select statement is better protected against SQL injection than stored
> procedure (because we have to account for cases when stored procedure could
> use dynamic sql generation by concatenating values of the parameters, while
> as standard sql commands like select, update and others are guaranteed
> against that).
>
> -Valery.
> http://www.harper.no/valery
>
>
> "Valery Pryamikov" <Valery@nospam.harper.no> wrote in message
> news:edARxOTpEHA.3520@TK2MSFTNGP11.phx.gbl...
> > SQL injection is not something specific to calling stored procedures or
> > executing select sql statement - its about feeding user input to SQL
> > parser. period.
> > If you construct call to stored procedure as callSpCommand = "execute
> > sp_something('" & request.queryString("UserName") & ");", then it is
> > vulnerable to sql injection. From the other side, if you use parameter
> > placeholder in SQL string (? or @paramname), than no matter if it is a
> > select statement or execution of stored procedure, you have the same level
> > of protection against SQL injection.
> > You can check my blog post that I refered in my prevoius post ot that
> > thread.
> >
> > -Valery
> > http://www.harper.no/valery
> >
> >
> > "Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> wrote
> > in message news:ujkDKFTpEHA.2340@TK2MSFTNGP11.phx.gbl...
> >> Provided you don't use dynamic SQL in your stored procedures, AFAIK, you
> >> won't get SQL injection if
> >> you use stored procedures. I'm no security expert so I'm open to critique
> >> here (preferably with a
> >> repro ;-) ).
> >>
> >> --
> >> Tibor Karaszi, SQL Server MVP
> >> http://www.karaszi.com/sqlserver/default.asp
> >> http://www.solidqualitylearning.com/
> >>
> >>
> >> "Shabam" <blislecp@hotmail.com> wrote in message
> >> news:oYmdnU2TE6UphcTcRVn-tQ@adelphia.com...
> >>> > Why not use stored procedures?
> >>>
> >>> Stored procedures are currently being used, but still, that's no
> >>> guarantee
> >>> that sql injections can't take place right? Are you saying with stored
> >>> procedures, all user input sent to a stored procedure will not cause sql
> >>> injection?
> >>>
> >>>
> >>
> >>
> >
> >
>
>
>
- Next message: Mike Epprecht (SQL MVP): "RE: newbie question :Truncate Table side effect"
- Previous message: Mike Epprecht (SQL MVP): "RE: Further Question on American Date Format"
- In reply to: Valery Pryamikov: "Re: SQL Injection Prevention"
- Next in thread: Valery Pryamikov: "Re: SQL Injection Prevention"
- Reply: Valery Pryamikov: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
