Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Jan 20, 2013 10:04 PM by mbanavige
Jan 12, 2013 08:16 AM|LINK
I have put this query in my page ("Select * From Pages Where Page='" & Trim(id) & "'") And i checked it with SQL injection its easily injectable by SQL Injestion. So suggest me where is the error ? I am getting values by query string,
Jan 12, 2013 08:25 AM|LINK
Jan 12, 2013 08:28 AM|LINK
User parameterized query or SP or sqlSafe function
see below URL
sample SQL safe function
private string SafeSqlLiteral(string inputSQL)
return inputSQL.Replace("'", "''");
Jan 13, 2013 10:38 PM|LINK
id.Trim() or id.ToString().Trim()
Do you really believe this will prevent SQL injections? You better read the links provided by alankarp as well.....
Jan 13, 2013 10:43 PM|LINK
What alan said. I personally only use stored procedures. There are not only security benefits, but they are precompiled and therefore also execute faster.
Jan 14, 2013 09:37 AM|LINK
personally only use stored procedures. There are not only security benefits
A Stored Procedure is not neccesarily safe. When you concatenate a SQL string inside a Stored Procedure, SQL injections may happen also. The best defense against SQL injections is using parameterized queries, in or outisde SP's
Jan 14, 2013 10:30 AM|LINK
Pardon me for my ignorance if this is a stupid question. But, how would you pass a value to a SPROC to be injected if it didnt have parameters in the first place? I'm sure I'm overlooking something simple.
Jan 14, 2013 12:05 PM|LINK
Pardon me for my ignorance if this is a stupid question
No, a question is not stupid!
But, how would you pass a value to a SPROC to be injected if it didnt have parameters in the first place? I'm sure I'm overlooking something simple.
Yes, a SP can have parameters. However, you can use Dynamic SQL inside a Stored Procedure as well:
CREATE TABLE [dbo].[tblTest](
[value] [nvarchar](50) NOT NULL
) ON [PRIMARY]
CREATE PROCEDURE [dbo].[spBadExample]
EXECUTE('INSERT INTO [dbo].[tblTest] ([value]) VALUES ''' + @value + '''')
Jan 14, 2013 12:13 PM|LINK
Ah ok, so if the parameter is text and the SPROC is being built dynamically they could insert syntax into the parameter? Am I understanding that right? And if so, am I safe as long as none of my SP are Executing dynamically built SQL?
Jan 14, 2013 12:36 PM|LINK