SQL Server Performance

Need Sql Injection help for stored procedure

Discussion in 'General Developer Questions' started by vick202, Jul 17, 2006.

  1. vick202 New Member

    I have store procedure for insert order and it has following statemet inside

    CASE WHEN @DeliveryInstructions IS NOT NULL AND @DeliveryInstructions <> '' THEN ' Delivery Instructions: ' + @DeliveryInstructions ELSE '' END

    Now deliveryinstruction is parameter. and its values pass from the form where user can enter the delivery instruction. Now say user enter the delivery instruction :
    select * from member or he can write delete from order

    It might carsh the order table. Now how could I protect my parameter from being injected any sql statement?
  2. FrankKalis Moderator

  3. patel_mayur New Member

    Unless and until you don#%92t execute the string its safe. If you are just storing the string like ‘drop table order#%92 in the table it wont create any problem.

    Use Stored Procedure to insert the data into table instead dynamic SQL if you are using and validate the input parameters in front-end.
  4. vick202 New Member

  5. ghemant Moderator

    And strengthen your sql server security , don't give direct access to your sql server ,change the listening port, and referhttp://vyaskn.tripod.com/sql_server_security_best_practices.htm also.


    Hemantgiri S. Goswami
    "Humans don't have Caliber to PASS TIME , Time it self Pass or Fail Humans" - by Hemantgiri S. Goswami
  6. shaileshk New Member

Share This Page