SQL Server Injection Attacks

  • david.c.holley

    SSCrazy

    Points: 2423

    I've got a couple of ASP.NET projects in the pipeline where users will have the ability to add free form comments. I've been reading up on precautions to take to avoid SQL SIA's, however when you're dealing with free form remarks is it even possible to ensure that an attack can't occur?

    I've read that parametrized queries and stored procedures go a very long way in preventing a SIA, however even if I pass everything through a stored procedure in and out of the database, could a SIA still occur?

  • GSquared

    SSC Guru

    Points: 260824

    It depends on how you implement your calls to the server, and how you build your stored procedures.

    For example, if you build an SQL string in ASP.NET, and then execute it, that's the same as not using a proc in the first place.

    On the other hand, if the comments are fed directly to a proc as a parameter value, then there really isn't a way to get them to execute as an injection attack. Building and executing strings is really where SQL injection comes into play.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

  • david.c.holley

    SSCrazy

    Points: 2423

    I had already planned on shifting everything to stored procedures so it sounds like I'm on the right track. Even though its for an intranet, the idea is not to make any presumptions.

  • GSquared

    SSC Guru

    Points: 260824

    Sound judgement, there.

    As Dilbert's Pointy-Haired-Boss once said, "100% of employee sabotage is by employees".

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715099

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply