Quite right. The statement "SQL Injection does not work with stored
procedures" is inherently false because it fails to recognize that the problem
lies is _how_ the procedure was invoked. If you fail to perform proper input
validation and use string building techniques like:
conn.execute("exec usp_myproc " & myvar)
then you're not safer than you were when you were using regular SQL
statements.
The best way to invoke the procedure is through the ADO command and parameter
objects. This will allow ADO to construct the database request and will
automatically convert single quotes to double thus neutralizing the injection.
Non-numeric in numeric parameter injection will fail due to strong data
typing.
Chip
"Brett Moore" <brettat_private> wrote:
> Ok so I have some thoughts. No official format.
>
> 1) SQL INJECTION
>
> "SQL injection does not work with stored procedures"...Shakes pear 1654
>
> example:
>
> X = WEB VARIABLE = INTEGER
>
> X = 10
> EXEC MY_STOREDPROCEDURE X = EXEC MY_STOREDPROCEDURE 10
> ~
> X = 10;EXEC MASTER..XP_CMDSHELL''
> EXEC MY_STOREDPROCEDURE X = 10;EXEC MASTER..XP_CMDSHELL''
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Feb 01 2002 - 15:16:53 PST