This is for SELECT statements. But I'm talking about INSERT/UPDATE. Nobody prevents you from typing
<script> malicios script </script>
in the fields.
>>Hi Mike,
>>
>>I understand that. The question is - how to prevent the incorrect input using parameterized queries. We're installing URLScan, but how would you do this in code? Say, in Stored procedure do you need to analyze each parameter?
>>
>Do not use Dynamic SQL and there is no need to check what parameters are passed. Even if you get this:
>
>@SomeVariable = 'SomeValue; SELECT * FROM PassWord'
>
>
>Your final SELECT will be:
>
>SELECT * FROM SomeTable WHERE SomeField = @SomeVariable
>
>
>and that is totally different that built select and exec() it, just because SomeField will be compared to string 'SomeValue; SELECT * FROM PassWord' and the command will not be parsed to two different commands.
>If you REALLY have to use Dynamic SQL use sp_executesql SP and pass all again as parameters.
If it's not broken, fix it until it is.
My Blog