[dba-SQLServer] SQL Injection and Sprocs

artful at rogers.com artful at rogers.com
Tue Aug 29 17:54:45 CDT 2006 

Precisely my thoughts on this, but as I like to pretend that I am open-minded and always willing to step back from an opinion once it has been refuted, I thought to invite disproof. I have yet to see one, but as any logician knows, the absence of disproof does not constitute proof. I would dearly love to see an injection attack that can defeat the sproc+params approach.

A.

----- Original Message ----
From: Stuart McLachlan <stuart at lexacorp.com.pg>
To: dba-sqlserver at databaseadvisors.com
Sent: Tuesday, August 29, 2006 5:31:21 PM
Subject: Re: [dba-SQLServer] SQL Injection and Sprocs

On 29 Aug 2006 at 13:38, artful at rogers.com wrote:

> Rightly or wrongly, I have been under the impression that the saftest method
> of avoiding SQL injection attacks is by using Sprocs exclusively. My theory
> is that Sproc parameters are typed, and also handled differently, than
> variables that might be plugged into a dynamic SQL statement. 
> 
> Have you ever seen an example that proves my theory incorrect?

No :-)

More information about the dba-SQLServer mailing list