Home Forums SQL Server 2005 Administering how to overcome sql injection RE: how to overcome sql injection

  • July 14, 2008 at 6:54 am

    #842343

    Hari.Sharma (7/14/2008)

    The best way to avoid SQL Injection is use of Stored Procedures.

    The only way to 100% for certain avoid SQL injection is to use properly parameterised queries or stored procedures.

    And don't make the mistake of using stored procedures that dynamically build up SQL strings inside the proc and then exec it. Procs like that are just as vulnerable to SQL injection as dynamic string on the front end.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass