Using SQL Server Stored Procedures To Prevent SQL Injection: ASP Alliance

Print Add To Favorites Email To Friend Rate This Article
Using SQL Server Stored Procedures To Prevent SQL Injection

page 4 of 6

by Randy Dyess
Feedback

Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 57078/ 298

Article Contents:

Embedded VS. Stored Procedures Test

To prove my point, lets take both forms of the logon screen and try some basic SQL Injection attacks and see what we get back from the database. You can find code for the tuser table, the stored procedure, logon.asp, logonprocess.asp, and logonprocess_sp.asp pages on my web site; http://www.Database-Security.Info/sqlinjectioncode_pt1.asp.

« (Page 3)

View Entire Article

(Page 5) »

Article Feedback

Comment:
Title:
Name:
Url:	( Optional )

Please add 3 and 2 and type the answer here:

User Comments

Title: God
Name: Joe
Date: 5/14/2008 3:09:15 PM
Comment:
' or 1=1 --

Title: Mr.
Name: CSC
Date: 5/17/2007 3:21:16 PM
Comment:
Good article, should then cover some basic validation. For those still wanting to use passed in SQL lest we forget that stored procs in SQL are pre compiled and the passed in string does not have to be parsed by the Query Analyzer which then has to build an execution plan. For a stored proc the execution plan is already compiled and in cache. Also a great follow up may be using OUTPUT parameters whenever returning only one row of data and how this can be up to 10x or more faster than using a recordset object for a single row.

Title: Mr.
Name: Nikhil
Date: 3/27/2007 9:03:38 PM
Comment:
really good. made very easy and comprehensive.

Title: SQL Injection works without stored procedures too
Name: Adi
Date: 7/18/2006 3:45:05 PM
Comment:
good basic article

Title: SQL Injection works without stored procedures too
Name: Adi
Date: 7/18/2006 3:45:02 PM
Comment:
good basic aricle

Title: stored procedure
Name: prakash
Date: 5/21/2006 12:54:48 AM
Comment:
please its not sufficient.u must go through details from the begining.

Title: Setting Paramters for Stored Procedures
Name: Dirty Sanchez
Date: 9/15/2004 2:50:17 PM
Comment:
In the line:
SET objParam = objConn.CreateParameter("@strLogin",200, 1, 50)
What are the 200, 1, 50 doing?

Thanks,

DS

Title: SQL Injection works without stored procedures too
Name: Sid
Date: 6/15/2004 10:38:35 AM
Comment:
It may be worthwhile to note that you do not have to use a stored procedure in order to use parameters. Here's an example:

Set cmd = Server.CreateObject("ADODB.Command")
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT pkUserId FROM Users WHERE email = @email AND password = @password"

cmd.CommandText = sql
Set param = cmd.CreateParameter("@email", adVarChar, adParamInput, 255, Request.Form("txtEmail"))
cmd.Parameters.Append param
Set param = cmd.CreateParameter("@password", adVarChar, adParamInput, 255, Request.Form("txtPassword"))
cmd.Parameters.Append param
cmd.ActiveConnection = con

Set rs = cmd.Execute