Re: SQL Injection Prevention
From: Shabam (blislecp_at_hotmail.com)
Date: 09/29/04
- Next message: Allen Davidson: "Re: Resetting DTS password"
- Previous message: Dan Guzman: "Re: SQL Injection Prevention"
- In reply to: Dan Guzman: "Re: SQL Injection Prevention"
- Next in thread: Dan Guzman: "Re: SQL Injection Prevention"
- Reply: Dan Guzman: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 29 Sep 2004 06:38:36 -0700
> > 2) What is the most effective way to stop sql injection vulnerabilities
> > from the remaining stored procedures that have dynamic sql in it?
>
> Execute dynamic SQL inside stored procedures only with sp_executesql
> containing parameters for all user input; do not use EXECUTE. The
remainder
> of the SQL statement string needs to be constructed from a trusted source.
Can you explain this one in a more newbie fashion, or point me to an article
that may help explain this in more detail? Thanks! :)
- Next message: Allen Davidson: "Re: Resetting DTS password"
- Previous message: Dan Guzman: "Re: SQL Injection Prevention"
- In reply to: Dan Guzman: "Re: SQL Injection Prevention"
- Next in thread: Dan Guzman: "Re: SQL Injection Prevention"
- Reply: Dan Guzman: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
