Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Preventing Injection attacks
Message
From
25/08/2008 15:30:43
Mike Yearwood
Toronto, Ontario, Canada
 
General information
Forum:
Microsoft SQL Server
Category:
Other
Title:
Re: Preventing Injection attacks
Environment versions
SQL Server:
SQL Server 2005
Miscellaneous
Thread ID:
01341172
Message ID:
01341604
Views:
11
>>Hi Mike,
>>
>>I understand that. The question is - how to prevent the incorrect input using parameterized queries. We're installing URLScan, but how would you do this in code? Say, in Stored procedure do you need to analyze each parameter?
>>
>Do not use Dynamic SQL and there is no need to check what parameters are passed. Even if you get this:

There is nothing wrong with Dynamic SQL as long as the values are parameterized.

>
>@SomeVariable = 'SomeValue; SELECT * FROM PassWord'
>
>
>Your final SELECT will be:
>
>SELECT * FROM SomeTable WHERE SomeField = @SomeVariable
>
>
>and that is totally different that built select and exec() it, just because SomeField will be compared to string 'SomeValue; SELECT * FROM PassWord' and the command will not be parsed to two different commands.
>If you REALLY have to use Dynamic SQL use sp_executesql SP and pass all again as parameters.
Previous
Reply
Map
View

Click here to load this message in the networking platform