SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Stored Procedures and SQL Injection


Stored Procedures and SQL Injection

Author
Message
davoscollective
davoscollective
SSCommitted
SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)

Group: General Forum Members
Points: 1655 Visits: 1008
And this one:
Attachments
untitled.png (288 views, 376.00 KB)
Geoff A
Geoff A
SSCrazy
SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)

Group: General Forum Members
Points: 2448 Visits: 1808
Thanks Brian. This article is extremely informative. I hate permissions in SQL but your approach is spot on for making it understandable.
Dave Vroman
Dave Vroman
Old Hand
Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)

Group: General Forum Members
Points: 339 Visits: 727
Using stored procedures is a requirement for PCI compliance. It is one of the requirements that slows down or stops all manner of nasties (well delineated in earlier posts). If your web site accepts credit cards, this is one of the many requirements.
Michael Valentine Jones
Michael Valentine Jones
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14449 Visits: 11848
Dave Vroman (2/19/2013)
Using stored procedures is a requirement for PCI compliance. It is one of the requirements that slows down or stops all manner of nasties (well delineated in earlier posts). If your web site accepts credit cards, this is one of the many requirements.


I recently went through the Payment Card Industry (PCI) Data Security Standard V2.0 documents in detail and never saw anything that stated that you are required to use stored procedures.

Can you point to a specific PCI standards document that states this requirement?
Dave Vroman
Dave Vroman
Old Hand
Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)Old Hand (339 reputation)

Group: General Forum Members
Points: 339 Visits: 727
It totally depends on the level of PCI compliance. I don't remember where it was and I am no longer at that company. It was not specifically spelled out in the compliance papers, but it was required by the company that was testing for compliance.
Lynn Pettis
Lynn Pettis
SSC Guru
SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)

Group: General Forum Members
Points: 94695 Visits: 38956
Sounds like an auditing firm making a determination not specified in the standard because they think it best. If it isn't in the actual standard how can the justify failing you if you aren't using stored procedures?

Cool
Lynn Pettis

For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here or when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here and here
Managing Transaction Logs

SQL Musings from the Desert Fountain Valley SQL (My Mirror Blog)
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (24K reputation)

Group: Moderators
Points: 24826 Visits: 1917
Remember that auditing firms make an attestation as to whether you're in compliance. That attestation is basically a statement of confidence. So, yes, it's entirely possible one firm would require something when another wouldn't if the requirement is not explicitly spelled out in the standard. For instance, way back in the day, this is how one firm we did business with got a SAS70 attestation even though they didn't patch their Windows servers. I wish I was kidding. Our auditors, on the other hand, required a detailed patch management plan along with verification that the controls were being met before they signed off each time for our SAS70 attestation. Why the difference? SAS70 was very vague and didn't have anything specific with regards to those sorts of controls.

K. Brian Kelley
@‌kbriankelley
Michael Valentine Jones
Michael Valentine Jones
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14449 Visits: 11848
Dave Vroman (2/19/2013)
It totally depends on the level of PCI compliance. I don't remember where it was and I am no longer at that company. It was not specifically spelled out in the compliance papers, but it was required by the company that was testing for compliance.


Sounds like the auditor was just making stuff up.

Not that I think using stored procedures is a bad thing, but this sort of thing is why I have very little respect for firms that do PCI, SAS70, SOX, etc. audits.

My experience is that they zoom in on petty items while they ignore or don't even understand serious problems.
Dave Poole
Dave Poole
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16748 Visits: 3403
Have a good read of https://www.owasp.org/index.php/Main_Page

LinkedIn Profile
www.simple-talk.com
eric.notheisen
eric.notheisen
SSC-Addicted
SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)

Group: General Forum Members
Points: 451 Visits: 300
The first rule of application security is to never trust user input. The second rule is always test for sql injection. The third rule is to run the tests again in the stored procedure. The third rule is to never allow any query other then through a stored procedure. The fourth rule is prohibit the use of Entity Framework to directly access the database without using a stored procedure.

As much as I hate the first word that comes out of a DBA's mouth, "NO!!!", security of the data in a database is the single most important value an application developer can hold is security. The second most important is maintainability.

When I have been engaged as an architect on a project, I have always considered security to be the most important consideration and have angered many developers by refusing to move off the position that stored procedures are the only way to access the database.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search