Quite right. The statement "SQL Injection does not work with stored procedures" is inherently false because it fails to recognize that the problem lies is _how_ the procedure was invoked. If you fail to perform proper input validation and use string building techniques like: conn.execute("exec usp_myproc " & myvar) then you're not safer than you were when you were using regular SQL statements. The best way to invoke the procedure is through the ADO command and parameter objects. This will allow ADO to construct the database request and will automatically convert single quotes to double thus neutralizing the injection. Non-numeric in numeric parameter injection will fail due to strong data typing. Chip "Brett Moore" <brettat_private> wrote: > Ok so I have some thoughts. No official format. > > 1) SQL INJECTION > > "SQL injection does not work with stored procedures"...Shakes pear 1654 > > example: > > X = WEB VARIABLE = INTEGER > > X = 10 > EXEC MY_STOREDPROCEDURE X = EXEC MY_STOREDPROCEDURE 10 > ~ > X = 10;EXEC MASTER..XP_CMDSHELL'' > EXEC MY_STOREDPROCEDURE X = 10;EXEC MASTER..XP_CMDSHELL'' > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Feb 01 2002 - 15:16:53 PST