Obviously, you lock down rights as much as possible.

If the developer isn't doing proper input validation and isn't using proper coding technique, there isn't a whole lot you can do. The semi-colon (;) and the double dash (--) really kill you. For instance, you can't stop the fact that this gets passed:

EXEC usp_mystoredprocedure 'Test';EXEC sp_password @loginame='sa', @new='password'

SQL Server is going to read that semi-colon as a statement separator and break up the two statements. So if you tried to test in usp_mystoredprocedure, it does no good. Of course, with the proper security model, sp_password doesn't get executed. But whatever the user has the ability to do can be done. So as a DBA, you are heavily reliant on the developer.

I'll be writing a security article on input validation that describes a real world issue I came across that dealt with a similar type of problem.

K. Brian Kelley

http://www.truthsolutions.com/

Author: Start to Finish Guide to SQL Server Performance Monitoring

http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1