Need Sql Injection help for stored procedure

Last post 06-24-2008 5:17 AM by shaileshk. 5 replies.
Page 1 of 1 (6 items)
Active Topics My Discussions Unanswered Sort Posts: Previous Next

  • 07-17-2006 11:20 AM

    Need Sql Injection help for stored procedure

    Reply Contact
    I have store procedure for insert order and it has following statemet inside

    CASE WHEN @DeliveryInstructions IS NOT NULL AND @DeliveryInstructions <> '' THEN ' Delivery Instructions: ' + @DeliveryInstructions ELSE '' END

    Now deliveryinstruction is parameter. and its values pass from the form where user can enter the delivery instruction. Now say user enter the delivery instruction :
    select * from member or he can write delete from order

    It might carsh the order table. Now how could I protect my parameter from being injected any sql statement?

  • 07-18-2006 12:19 AM In reply to

    Re: Need Sql Injection help for stored procedure

    Reply Contact
    See if this helps:http://www.sqlsecurity.com/FAQs/SQLInjectionFAQ/tabid/56/Default.aspx

    --
    Frank Kalis
    Microsoft SQL Server MVP
    http://www.insidesql.de
    Heute schon gebloggt?http://www.insidesql.de/blogs
    --
    Frank Kalis
    Microsoft SQL Server MVP
    Contributing Editor, Writer & Forum Moderator http://www.sql-server-performance.com
    Webmaster: http://www.insidesql.org
    View Frank Kalis's profile on LinkedIn

    XING

  • 07-18-2006 9:00 AM In reply to

    Re: Need Sql Injection help for stored procedure

    Reply Contact
    Unless and until you don#%92t execute the string its safe. If you are just storing the string like ‘drop table order#%92 in the table it wont create any problem.

    Use Stored Procedure to insert the data into table instead dynamic SQL if you are using and validate the input parameters in front-end.

  • 07-18-2006 2:25 PM In reply to

    Re: Need Sql Injection help for stored procedure

    Reply Contact
    thanks

  • 07-19-2006 3:20 AM In reply to

    Re: Need Sql Injection help for stored procedure

    Reply Contact
    Hi,
    And strengthen your sql server security , don't give direct access to your sql server ,change the listening port, and referhttp://vyaskn.tripod.com/sql_server_security_best_practices.htm also.

    Regards

    Hemantgiri S. Goswami
    ghemant@gmail.com
    "Humans don't have Caliber to PASS TIME , Time it self Pass or Fail Humans" - by Hemantgiri S. Goswami
    Hemantgiri S. Goswami | MS SQL Server MVP
    -------------------------
    "Humans don't have Caliber to PASS TIME , Time it self Pass or Fail Humans" - by Hemantgiri S. Goswami

    http://hemantgirisgoswami.blogspot.com
    http://forums.surat-user-group.org/

    View Hemantgiri S. Goswami's profile on LinkedIn

    Disclaimer: This post is provided as is, for the sake of knowledge sharing only.

  • 06-24-2008 5:17 AM In reply to

    Re: Need Sql Injection help for stored procedure

    Reply Contact
    Try http://codegroups.com/blog/index.php/sql-injection-protection/
Page 1 of 1 (6 items)
Active Topics   My Discussions    Unanswered Posts


© 2000 - 2007 vDerivatives Limited All Rights Reserved.