homebrew01 (5/7/2014)
How would the hacker pass that variable to the stored procedure ? If it's part of a form on a website, then hackers can enter character strings. But if the procedure is deeper in the application ??
Don't think about where the procedure can be accessed from. That is dangerous. Just because today the procedure isn't available from a web form doesn't mean that tomorrow it won't be. Remember that dynamic sql can be parameterized.
Taking the same dynamic sql we can easily parameterize it. Now this code is injection proof. When using dynamic sql it is not hard to write code that is injection proof.
alter procedure IsThisVulnerable
(
@MyValue varchar(50)
) as
declare @SQL nvarchar(max)
set @SQL = 'select * from sys.objects where name = @MyValue'
exec sp_executesql @SQL, N'@MyValue varchar(50)', @MyValue = @MyValue
go
exec IsThisVulnerable ''';drop proc IsThisVulnerable--'
exec IsThisVulnerable 'IsThisVulnerable'
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/