469,354 Members | 2,046 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,354 developers. It's quick & easy.

SQL injection and parameterized stored procedures

Is SQL injection an issue with SP's?

tia
Jul 19 '05 #1
3 1612
> Is SQL injection an issue with SP's?

As long as you replace ' with '' then you *should* be fine...

Some will argue that using a command object (which forces strong typing of
parameters, among other things) will protect you "better" but I don't
necessarily agree that it is one of the command object's strengths.

A
Jul 19 '05 #2
On Tue, 4 Nov 2003 16:53:22 -0800, "Stan Prosedur" <St**@Prosedur.com>
wrote:
Is SQL injection an issue with SP's?


Sure. Anytime a SP accepts a parameter and the parameter can be
entered as an injection routine, it's a factor. The normal SQL
injection fixes work as well, escaping single quotes, etc.

Jeff
Jul 19 '05 #3
Thanks to the both of you.

:-)
"Jeff Cochran" <jc*************@naplesgov.com> wrote in message
news:3f****************@msnews.microsoft.com...
On Tue, 4 Nov 2003 16:53:22 -0800, "Stan Prosedur" <St**@Prosedur.com>
wrote:
Is SQL injection an issue with SP's?


Sure. Anytime a SP accepts a parameter and the parameter can be
entered as an injection routine, it's a factor. The normal SQL
injection fixes work as well, escaping single quotes, etc.

Jeff

Jul 19 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

10 posts views Thread by MattB | last post: by
12 posts views Thread by shank | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.