Hi,
One thing that using an SP doesn't necessarily guard against is:
What happens if an SP parameter is Text and you pass in a comma separated
list of numbers,
which you then use in the SP like:
[some sql here - to do a temp table]
EXEC('SELECT FieldX, FieldY INTO #Temp FROM TableX WHERE TableID IN(' +
@Param + ')')
[some more sql here]
Admittedly the person doing the hack would have to know what the SP was
doing in order to
ensure proper SQL syntax, but, for example, a disgruntled employee might
know this and wreck
havoc.
For a comma separated list of numbers I got around this by using a regular
expression to ensure
that the value I would use only contained numbers, a comma or a space
anything else would be
discarded.
Regards,
Peter
"Patrice Scribe" <no****@nowhere.com> wrote in message
news:%2******************@TK2MSFTNGP10.phx.gbl...
A Google search such as "sql code injection" will retrieve a number of
detailed papers.
In short you could :
- validate your parameters
- use parameterized queries
- use stored procedures
- others ?
Patrice
--
"RA" <ro****@hotmail.com> a écrit dans le message de
news:%2****************@TK2MSFTNGP09.phx.gbl... If I get the user info from an aso.net, and based on that execute some
query against the database, how can I avoid issues like this one:
Client entered in user name text box the following: "new;delect from
users"
On server side I have:
sql = "select * from users where username = " + txtUser.Text;
Thanks,
Ronen
