Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Preventing Injection attacks
Message
General information
Forum:
Microsoft SQL Server
Category:
Other
Title:
Re: Preventing Injection attacks
Environment versions
SQL Server:
SQL Server 2005
Miscellaneous
Thread ID:
01341172
Message ID:
01341593
Views:
16
This message has been marked as a message which has helped to the initial question of the thread.
>Hi Mike,
>
>I understand that. The question is - how to prevent the incorrect input using parameterized queries. We're installing URLScan, but how would you do this in code? Say, in Stored procedure do you need to analyze each parameter?
>
Do not use Dynamic SQL and there is no need to check what parameters are passed. Even if you get this:
@SomeVariable = 'SomeValue; SELECT * FROM PassWord'
Your final SELECT will be:
SELECT * FROM SomeTable WHERE SomeField = @SomeVariable
and that is totally different that built select and exec() it, just because SomeField will be compared to string 'SomeValue; SELECT * FROM PassWord' and the command will not be parsed to two different commands.
If you REALLY have to use Dynamic SQL use sp_executesql SP and pass all again as parameters.
Against Stupidity the Gods themselves Contend in Vain - Johann Christoph Friedrich von Schiller
The only thing normal about database guys is their tables.
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform