artful at rogers.com
artful at rogers.com
Tue Aug 29 17:54:45 CDT 2006
Precisely my thoughts on this, but as I like to pretend that I am open-minded and always willing to step back from an opinion once it has been refuted, I thought to invite disproof. I have yet to see one, but as any logician knows, the absence of disproof does not constitute proof. I would dearly love to see an injection attack that can defeat the sproc+params approach. A. ----- Original Message ---- From: Stuart McLachlan <stuart at lexacorp.com.pg> To: dba-sqlserver at databaseadvisors.com Sent: Tuesday, August 29, 2006 5:31:21 PM Subject: Re: [dba-SQLServer] SQL Injection and Sprocs On 29 Aug 2006 at 13:38, artful at rogers.com wrote: > Rightly or wrongly, I have been under the impression that the saftest method > of avoiding SQL injection attacks is by using Sprocs exclusively. My theory > is that Sproc parameters are typed, and also handled differently, than > variables that might be plugged into a dynamic SQL statement. > > Have you ever seen an example that proves my theory incorrect? No :-)