473,549 Members | 2,222 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

SQL injection and parameterized stored procedures

Is SQL injection an issue with SP's?

tia
Jul 19 '05 #1
3 1699
> Is SQL injection an issue with SP's?

As long as you replace ' with '' then you *should* be fine...

Some will argue that using a command object (which forces strong typing of
parameters, among other things) will protect you "better" but I don't
necessarily agree that it is one of the command object's strengths.

A
Jul 19 '05 #2
On Tue, 4 Nov 2003 16:53:22 -0800, "Stan Prosedur" <St**@Prosedur. com>
wrote:
Is SQL injection an issue with SP's?


Sure. Anytime a SP accepts a parameter and the parameter can be
entered as an injection routine, it's a factor. The normal SQL
injection fixes work as well, escaping single quotes, etc.

Jeff
Jul 19 '05 #3
Thanks to the both of you.

:-)
"Jeff Cochran" <jc************ *@naplesgov.com > wrote in message
news:3f******** ********@msnews .microsoft.com. ..
On Tue, 4 Nov 2003 16:53:22 -0800, "Stan Prosedur" <St**@Prosedur. com>
wrote:
Is SQL injection an issue with SP's?


Sure. Anytime a SP accepts a parameter and the parameter can be
entered as an injection routine, it's a factor. The normal SQL
injection fixes work as well, escaping single quotes, etc.

Jeff

Jul 19 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
2610
by: Bă§TăRĐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A...
9
2047
by: Darrel | last post by:
I'm learning a bit about the SWL injection issues and want to write a shared class that I can call from anywhere in my project to 'sanitize' any incoming text from textfields before sending to the DB. Is it enough to simply escape single quotes as two single quotes? Ie, replace ' with ''? Or should I also be checking for things like...
10
1445
by: MattB | last post by:
I have a name lookup form that passes the contents of two text boxes to a sql query. I've noticed that someone can substitute % for letters and wildcard the query. I know I could just disallow that character, but is there a commonly accepted way to stop all of these kinds of attacks? I see asp.net automatically disallows characters like "<>"...
10
23884
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages. Thanks.
4
2182
by: ss | last post by:
hi, can anybody gives me a sample code where the sql injection attack is validated. how can i do that in business logic layer and pass the error to the presentation tier I want the sample code
18
1920
by: Lance Wynn | last post by:
One of my server has been compromised from this virus, and I can't seem to block it out! I have shut down the infected server, but I need to figure out how to check for this, and stop it. The site is running iis5 on Windows2000, the backend DB is SQLServer 2000 Can anyone point me to some good resources for this? This is urgent! ...
12
640
by: shank | last post by:
I've been hit again using DW, parameterized queries and stored procedures. I'm guessing I was not strict enough with character counts and allowing to long of a string to pass. Aside from that, as crude as it may be, is the below enough to stop these attacks? If not, how would they get around this? <% If Instr(Request.QueryString("http"))...
2
1897
by: Brian Bozarth | last post by:
This is weird, I'm pretty familiar with SQL Injection - but we're getting these weird injection that is writing in the default document or home page. What it's doing is putting in script code at the top or bottom of the home page... it looks something like this: <script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5 ()...
2
11165
Frinavale
by: Frinavale | last post by:
SQL Injection Attack A database is a collection of information organised in such a way that allows computer programs to access data (even large amounts) quickly and easily. Data within a database is organised into tables, which contain records/rows of fields. A field contains the actual data used by the program. Relational Database Management...
0
7548
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7472
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7743
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
7986
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
0
7832
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
3518
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3499
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1965
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
1083
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.