Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Preventing Injection attacks
Message
De
25/08/2008 15:16:34
Borislav Borissov (En ligne)
Microcomplex
Sofia, Bulgarie
 
 
À
25/08/2008 15:08:11
Naomi Nosonovsky
Wisconsin, États-Unis
Information générale
Forum:
Microsoft SQL Server
Catégorie:
Autre
Titre:
Re: Preventing Injection attacks
Versions des environnements
SQL Server:
SQL Server 2005
Divers
Thread ID:
01341172
Message ID:
01341593
Vues:
17
This message has been marked as a message which has helped to the initial question of the thread.
>Hi Mike,
>
>I understand that. The question is - how to prevent the incorrect input using parameterized queries. We're installing URLScan, but how would you do this in code? Say, in Stored procedure do you need to analyze each parameter?
>
Do not use Dynamic SQL and there is no need to check what parameters are passed. Even if you get this:
@SomeVariable = 'SomeValue; SELECT * FROM PassWord'
Your final SELECT will be:
SELECT * FROM SomeTable WHERE SomeField = @SomeVariable
and that is totally different that built select and exec() it, just because SomeField will be compared to string 'SomeValue; SELECT * FROM PassWord' and the command will not be parsed to two different commands.
If you REALLY have to use Dynamic SQL use sp_executesql SP and pass all again as parameters.
Against Stupidity the Gods themselves Contend in Vain - Johann Christoph Friedrich von Schiller
The only thing normal about database guys is their tables.
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform