well this spells it out clearly:

http://www.akadia.com/services/sqlsrv_logins_and_users.html

I suppose if I restore the master first then the actual databases that might work.

Thanks everyong, it looks like it was useing the alias that really made the difference. I have my proc working correctly using a table variable now.

As usual so many questions...

Ya well I'd love to, but since I can't do a "insert into" it won't work for my current solution.

In my dynamic sql version of this solution I use a...

Thanks for that Brian, chances are I will never have time to make that change on old apps, but I have added it to my methodology for new projects.

Hmm can't do a select into..that sounds familiar, and that probably explains why my code was throwing an error.

So is the scope of a temp table local to the procedure?...

Ok I'll try that in the morning. BTW is there any function difference between a temp table and a table variable? scope or otherwise.

Thanks for the article Steve. It left me wondering though.

As you say your metrics looked good except at certain peak times for certain timezones/geography. So what can one do to...

Ya that failed to inject as well. Looks like I am reasonably secure the way I am doing things.

I do validate my forms both client side and server side, and...

Sorry it wasn't clear. No I am not using dynamic sql.

I'll abstract it.

this works

============================

create table #temptable

( id int)

insert into #tempTable select uid from tableA where some condition

select thisField...

Hmm I assumed that his notation was simply shorthand and that the web form was using parameter ado objects...I should reply to his thread.

It does sound like your saying with...

lol well if nothing else his injection code was enough to stump the forum parser, I had to snip part of his code out to have it display correctly. The...

Im not entirely sure about that simonsabin. That was my assumption but then I found this post on:

http://seclists.org/lists/pen-test/2001/Mar/0105.html

Here is the relevent section that challenged my assumptions:

> So, i can inject...

I'll be migrating to a new server soon, and I have spent a greate deal of time thinking about my availability,monitoring,recovery, and security plan. I will try to find...

Thanks I was mostly concerned with beefing up my sql injection defense. My current sites are exclusivly on stored procedures, no dynamic sql from asp at all.

I check the parameters...

Thanks antares, these archive tables are created on the fly by client activity so there's no way for me to branch in a proc.

I think I have decided to correct...