Need Sql Injection help for stored procedure

vick202 · Jul 17, 2006

I have store procedure for insert order and it has following statemet inside

CASE WHEN @DeliveryInstructions IS NOT NULL AND @DeliveryInstructions <> '' THEN ' Delivery Instructions: ' + @DeliveryInstructions ELSE '' END

Now deliveryinstruction is parameter. and its values pass from the form where user can enter the delivery instruction. Now say user enter the delivery instruction :
select * from member or he can write delete from order

It might carsh the order table. Now how could I protect my parameter from being injected any sql statement?

FrankKalis · Jul 17, 2006

See if this helps:http://www.sqlsecurity.com/FAQs/SQLInjectionFAQ/tabid/56/Default.aspx

--
Frank Kalis
Microsoft SQL Server MVP
http://www.insidesql.de
Heute schon gebloggt?http://www.insidesql.de/blogs

patel_mayur · Jul 18, 2006

Unless and until you don#%92t execute the string its safe. If you are just storing the string like â€˜drop table order#%92 in the table it wont create any problem.

Use Stored Procedure to insert the data into table instead dynamic SQL if you are using and validate the input parameters in front-end.

vick202 · Jul 18, 2006

thanks

ghemant · Jul 19, 2006

Hi,
And strengthen your sql server security , don't give direct access to your sql server ,change the listening port, and referhttp://vyaskn.tripod.com/sql_server_security_best_practices.htm also.

Regards

Hemantgiri S. Goswami
ghemant@gmail.com
"Humans don't have Caliber to PASS TIME , Time it self Pass or Fail Humans" - by Hemantgiri S. Goswami

shaileshk · Jun 24, 2008

Try http://codegroups.com/blog/index.php/sql-injection-protection/

Log in or Sign up

Need Sql Injection help for stored procedure

vick202 New Member

FrankKalis Moderator

patel_mayur New Member

vick202 New Member

ghemant Moderator

shaileshk New Member

Share This Page