artful at rogers.com
artful at rogers.com
Tue Aug 29 15:38:12 CDT 2006
Rightly or wrongly, I have been under the impression that the saftest method of avoiding SQL injection attacks is by using Sprocs exclusively. My theory is that Sproc parameters are typed, and also handled differently, than variables that might be plugged into a dynamic SQL statement. Have you ever seen an example that proves my theory incorrect? I.e. imagine some form that obtains three variables from a user, then fires a sproc and passes it these three variables. To spice up the argument, imagine that one textbox is text, one numeric and one date. I have done various experiments on this scenario, and I cannot come up with a single case that fools the underlying sproc. Can you? Thanks, Arthur