Re: SQL Injection Prevention
From: Aaron [SQL Server MVP] (ten.xoc_at_dnartreb.noraa)
Date: 09/28/04
- Next message: Binoy: "Re: Search and Replace in a text field"
- Previous message: SS: "Need to shrink live DB"
- In reply to: Valery Pryamikov: "Re: SQL Injection Prevention"
- Next in thread: Valery Pryamikov: "Re: SQL Injection Prevention"
- Reply: Valery Pryamikov: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 28 Sep 2004 12:14:34 -0400
> 1. when you call parameterized stored procedure, it (the procedure) may
> internally use dynamic sql (ie concatenate parameters to SQL string), thus
> introducing another SQL injection vulnerability.
And if the stored procedure doesn't contain dynamic SQL? You seem to be
under the impression that all stored procedures contain dynamic SQL. I can
assure you that this is not true.
Stored procedures can be made just as safe as your method. (plus let's not
forget all the other benefits of stored procedures over parameterized DML
statements).
So I don't think it's fair to make a blanket statement. Everything requires
caution to some degree... I really don't think it's worthwhile to throw away
all the benefits of stored procedures to gain this slight edge in security,
which is eliminated if your stored procedure doesn't contain dynamic SQL
and/or you properly validate input...
A
- Next message: Binoy: "Re: Search and Replace in a text field"
- Previous message: SS: "Need to shrink live DB"
- In reply to: Valery Pryamikov: "Re: SQL Injection Prevention"
- Next in thread: Valery Pryamikov: "Re: SQL Injection Prevention"
- Reply: Valery Pryamikov: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
