[dba-SQLServer] SQL Injection and Sprocs

Francisco Tapia fhtapia at gmail.com
Tue Aug 29 15:50:15 CDT 2006


There is one bad form,  A developer who used to work here took it upon
himself to use a "global" sproc, in wich it takes an @nText parameter
and executes it in the stored procedure.  blah!

(note used to work here)

On 8/29/06, artful at rogers.com <artful at rogers.com> wrote:
> Rightly or wrongly, I have been under the impression that the saftest method of avoiding SQL injection attacks is by using Sprocs exclusively. My theory is that Sproc parameters are typed, and also handled differently, than variables that might be plugged into a dynamic SQL statement.
>
> Have you ever seen an example that proves my theory incorrect? I.e. imagine some form that obtains three variables from a user, then fires a sproc and passes it these three variables. To spice up the argument, imagine that one textbox is text, one numeric and one date.
>
> I have done various experiments on this scenario, and I cannot come up with a single case that fools the underlying sproc. Can you?
>
> Thanks,
> Arthur
>
> _______________________________________________
> dba-SQLServer mailing list
> dba-SQLServer at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> http://www.databaseadvisors.com
>
>


-- 
-Francisco
http://pcthis.blogspot.com |PC news with out the jargon!
http://sqlthis.blogspot.com | Tsql and More...



More information about the dba-SQLServer mailing list