Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Robert Marda Nesting Stored Procedures RE: Nesting Stored Procedures

  • May 22, 2003 at 9:24 am

    #458192

    Hi Robert,

    quote:

    The major danger I am aware of from sql injection attacks via data entered by a user and used in a stored procedure is when you dynamically build your queries and then execute them. The best way I know to completely eliminate this type of injection is to use the following code on your character datatypes: SET @LastName = REPLACE (@LastName, '''', '''''')

    That code ensures that all characters they enter will remain in the query to be compared against a column and can not execute as its own query.

    Other than that I agree that all other forms of validation will be best handled before the input reaches the stored procedures.

    Agreed, I'm trying to avoid dynamic SQL for other than administrative tasks and to validate as much as possible at app level. But there is still a small percentage of uncertainty to deal with.

    You have to do more than just REPLACE (@LastName, '''', '''''')

    I'm sure you know this articles from http://www.appsecinc.com named Manipulating Microsoft SQL Server Using SQL Injection. Or Advanced SQL Injections in SQL Server Applications by http://www.nssoftware.com.

    But we're moving off-topic...

    One thing that can be stated is that you can use nested procs for this reason, or? If you do so, that's another question

    Cheers,

    Frank

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]