I have put this query in my page ("Select * From Pages Where Page='" & Trim(id) & "'") And i checked it with SQL injection its easily injectable by SQL Injestion. So suggest me where is the error ? I am getting values by query string,
What alan said. I personally only use stored procedures. There are not only security benefits, but they are precompiled and therefore also execute faster.
personally only use stored procedures. There are not only security benefits
A Stored Procedure is not neccesarily safe. When you concatenate a SQL string inside a Stored Procedure, SQL injections may happen also. The best defense against SQL injections is using parameterized queries, in or outisde SP's
Pardon me for my ignorance if this is a stupid question. But, how would you pass a value to a SPROC to be injected if it didnt have parameters in the first place? I'm sure I'm overlooking something simple.
Pardon me for my ignorance if this is a stupid question
No, a question is not stupid!
Daveg232
But, how would you pass a value to a SPROC to be injected if it didnt have parameters in the first place? I'm sure I'm overlooking something simple.
Yes, a SP can have parameters. However, you can use Dynamic SQL inside a Stored Procedure as well:
CREATE TABLE [dbo].[tblTest](
[value] [nvarchar](50) NOT NULL
) ON [PRIMARY]
CREATE PROCEDURE [dbo].[spBadExample]
@value nvarchar(50)
AS
BEGIN
EXECUTE('INSERT INTO [dbo].[tblTest] ([value]) VALUES ''' + @value + '''')
END
Ah ok, so if the parameter is text and the SPROC is being built dynamically they could insert syntax into the parameter? Am I understanding that right? And if so, am I safe as long as none of my SP are Executing dynamically built SQL?
Resumepod
Member
56 Points
97 Posts
SQL Injection
Jan 12, 2013 08:16 AM|LINK
HI,
I have put this query in my page ("Select * From Pages Where Page='" & Trim(id) & "'") And i checked it with SQL injection its easily injectable by SQL Injestion. So suggest me where is the error ? I am getting values by query string,
oned_gk
All-Star
31655 Points
6470 Posts
Re: SQL Injection
Jan 12, 2013 08:25 AM|LINK
alankarp
Contributor
2042 Points
345 Posts
Re: SQL Injection
Jan 12, 2013 08:28 AM|LINK
User parameterized query or SP or sqlSafe function
see below URL
http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET
http://msdn.microsoft.com/en-us/library/ff648339.aspx
sample SQL safe function
private string SafeSqlLiteral(string inputSQL) { return inputSQL.Replace("'", "''"); }Profile
hans_v
All-Star
35986 Points
6550 Posts
Re: SQL Injection
Jan 13, 2013 10:38 PM|LINK
Do you really believe this will prevent SQL injections? You better read the links provided by alankarp as well.....
Daveg232
Member
130 Points
65 Posts
Re: SQL Injection
Jan 13, 2013 10:43 PM|LINK
What alan said. I personally only use stored procedures. There are not only security benefits, but they are precompiled and therefore also execute faster.
hans_v
All-Star
35986 Points
6550 Posts
Re: SQL Injection
Jan 14, 2013 09:37 AM|LINK
A Stored Procedure is not neccesarily safe. When you concatenate a SQL string inside a Stored Procedure, SQL injections may happen also. The best defense against SQL injections is using parameterized queries, in or outisde SP's
Daveg232
Member
130 Points
65 Posts
Re: SQL Injection
Jan 14, 2013 10:30 AM|LINK
Pardon me for my ignorance if this is a stupid question. But, how would you pass a value to a SPROC to be injected if it didnt have parameters in the first place? I'm sure I'm overlooking something simple.
hans_v
All-Star
35986 Points
6550 Posts
Re: SQL Injection
Jan 14, 2013 12:05 PM|LINK
No, a question is not stupid!
Yes, a SP can have parameters. However, you can use Dynamic SQL inside a Stored Procedure as well:
CREATE TABLE [dbo].[tblTest]( [value] [nvarchar](50) NOT NULL ) ON [PRIMARY] CREATE PROCEDURE [dbo].[spBadExample] @value nvarchar(50) AS BEGIN EXECUTE('INSERT INTO [dbo].[tblTest] ([value]) VALUES ''' + @value + '''') ENDDaveg232
Member
130 Points
65 Posts
Re: SQL Injection
Jan 14, 2013 12:13 PM|LINK
Ah ok, so if the parameter is text and the SPROC is being built dynamically they could insert syntax into the parameter? Am I understanding that right? And if so, am I safe as long as none of my SP are Executing dynamically built SQL?
hans_v
All-Star
35986 Points
6550 Posts
Re: SQL Injection
Jan 14, 2013 12:36 PM|LINK
Yes,
Yes,
Yes