Jim Lawrence
accessd at shaw.ca
Tue Aug 29 17:54:24 CDT 2006
Hi Arthur: Unfortunately that is not the case. About a years and a half ago, in a training session down in Redmond, given by some guru named Dino Esposito, that was working for a company named Wintellect/Expoware and I watched how he cracked SQL servers. It wasn't as super easy as with SQL strings but Sprocs, if they were not done just so could be used to dump the server stats... at that point the game is all over. It just takes a bit of persistence before long everything is open. I would love to give you further details but I fried a memory stick with all the specifics before it was downloaded... so sad. You might be able to track down info at www.Wintellect.com or at http://weblogs.asp.net/despos/ Jim -----Original Message----- From: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of artful at rogers.com Sent: Tuesday, August 29, 2006 1:38 PM To: Alexander Karmanov; Andrei Pascal; Dejan Sunderic Cc: dba-SQLServer Subject: [dba-SQLServer] SQL Injection and Sprocs Rightly or wrongly, I have been under the impression that the saftest method of avoiding SQL injection attacks is by using Sprocs exclusively. My theory is that Sproc parameters are typed, and also handled differently, than variables that might be plugged into a dynamic SQL statement. Have you ever seen an example that proves my theory incorrect? I.e. imagine some form that obtains three variables from a user, then fires a sproc and passes it these three variables. To spice up the argument, imagine that one textbox is text, one numeric and one date. I have done various experiments on this scenario, and I cannot come up with a single case that fools the underlying sproc. Can you? Thanks, Arthur _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com