Google
AspAlliance.com Web
AspAlliance
Register
Edit My Profile
Author List
Write for Us
About AspAlliance
Contact Us
Privacy Policy
Link To Us
Advertise

Subscribe
Free Newsletter
Newsletter Archive
RSS Syndication

.NET Tutorials
Learn .NET
Learn WCF
Learn WPF
Learn ASP.NET
Learn AJAX
Learn Silverlight
Learn Visual Studio
Learn ADO.NET
Learn LINQ
Learn C# (CSharp)
Learn VB.NET
Learn Web Services
Learn Controls
Learn BizTalk
Learn SharePoint
Learn Mobile
Learn SQL
Learn SQL Reporting
Learn Windows Forms
Learn XML
Learn Crystal Reports
Learn telerik
Learn FarPoint
Learn DevExpress
Examples
ASP.NET 2.0 Examples

ASP Tutorials
Learn ASP
Learn VBScript
Learn JScript
Learn SQL
Learn XML

Other Tutorials
Learn Java
Learn Oracle
Opinion / Editorial
Crystal Reports Alliance

Free Tools
Cache Manager
SimpleCMS

Reviews
Book Reviews
Product Reviews
Expert Advice

Books
ASP.NET Developer's Cookbook
Sample Chapters
Book Reviews

Community
Developer Jobs
Resource Directory
ASP Email Lists
ASP.NET Email Lists
Whidbey Email Lists
AspAlliance Groups
SQL Email Lists
XML Email Lists
Regular Expressions
MS Communities
CodeWise Communities

Web Hosting
ASP Hosting
Dedicated Servers
FREE Hosting
Shared Hosting
Web Farm Hosting

Print This Article Print  Add To Favorites Add To Favorites    Email This Article To A Friend Email To Friend  Rate This Article Rate This Article   
Using SQL Server Stored Procedures To Prevent SQL Injection
page 6 of 6
by Randy Dyess
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 56739/ 316
Next Article in Series

In the next article in this series, I will go one step further and show you how to protect those often hard to protect search boxes by using parameterized stored procedures to create a "dynamic" stored procedure.

View Entire Article

Article Feedback

Title:  
Name:  
Url: ( Optional )
Comment:  
Please add 4 and 6 and type the answer here:

User Comments

Title: God   
Name: Joe
Date: 5/14/2008 3:09:15 PM
Comment:
' or 1=1 --
Title: Mr.   
Name: CSC
Date: 5/17/2007 3:21:16 PM
Comment:
Good article, should then cover some basic validation. For those still wanting to use passed in SQL lest we forget that stored procs in SQL are pre compiled and the passed in string does not have to be parsed by the Query Analyzer which then has to build an execution plan. For a stored proc the execution plan is already compiled and in cache. Also a great follow up may be using OUTPUT parameters whenever returning only one row of data and how this can be up to 10x or more faster than using a recordset object for a single row.
Title: Mr.   
Name: Nikhil
Date: 3/27/2007 9:03:38 PM
Comment:
really good. made very easy and comprehensive.
Title: SQL Injection works without stored procedures too   
Name: Adi
Date: 7/18/2006 3:45:05 PM
Comment:
good basic article
Title: SQL Injection works without stored procedures too   
Name: Adi
Date: 7/18/2006 3:45:02 PM
Comment:
good basic aricle
Title: stored procedure   
Name: prakash
Date: 5/21/2006 12:54:48 AM
Comment:
please its not sufficient.u must go through details from the begining.
Title: Setting Paramters for Stored Procedures   
Name: Dirty Sanchez
Date: 9/15/2004 2:50:17 PM
Comment:
In the line:
SET objParam = objConn.CreateParameter("@strLogin",200, 1, 50)
What are the 200, 1, 50 doing?

Thanks,

DS
Title: SQL Injection works without stored procedures too   
Name: Sid
Date: 6/15/2004 10:38:35 AM
Comment:
It may be worthwhile to note that you do not have to use a stored procedure in order to use parameters. Here's an example:

Set cmd = Server.CreateObject("ADODB.Command")
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT pkUserId FROM Users WHERE email = @email AND password = @password"

cmd.CommandText = sql
Set param = cmd.CreateParameter("@email", adVarChar, adParamInput, 255, Request.Form("txtEmail"))
cmd.Parameters.Append param
Set param = cmd.CreateParameter("@password", adVarChar, adParamInput, 255, Request.Form("txtPassword"))
cmd.Parameters.Append param
cmd.ActiveConnection = con

Set rs = cmd.Execute






Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2008 ASPAlliance.com  |  Page Processed at 11/21/2008 6:56:33 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search