Hi,
I need some information from someone that is an expert in MSSQL and SQLI.
I wanted to know if SQLI is possible through systematic stored procedures of MSSQL?

Thanks,

SQL Injection occurs because of an insecurely written app running on the client. Nothing you can do on the SQL Server can affect SQL Injection because it has already occured before SQL Server even receives the SQL statement from the SQL Client.

-PatP

Your best bet is to keep the interface as procedure calls between the DB and the application code. If the procedure is properly written, it will disallow bad data, free text, etc.

Thanks to both replies.
I have a question for Celko.
You mean that systematic SPs are safe from injection?

If your front end code is vulnerable to SQL Injection, then any database is vulnerable to SQL Injection (even if the database doesn't run SQL at all).

Any application that sends unchecked, unprotected strings to a database server is vulnerable to injection. It doesn't matter what the developer thought that the code ought to do/run/etc. That isn't relevant.

All code, of any kind on a database server is vulnerable to injection attacks from a weak front end application.

-PatP

Thanks Pat.
I agree with you but shouldn't systematic SPs be secure? because we have vulnerability where ever human (programmer) comes in the middle.

Not "quite" true...
...you could disallow all access to the database tables except through sprocs and views.

I've yet to see an application architect willing to give up these privileges without a fight, though.

If your front end does not use command and parameter objects to encapsulate the arguments of the stored procedure, and instead simply concatenates the stored procedure and arguments as a single string, you have a SQL injection vulnerability, no matter what procedure is being called, "systematic" or otherwise.

Thanks,
Do you think I could find a list of systematic SPs that could be vulnerable to injection or I have to manually search?

Define "systematic", please.

I mean the system SPs (with the sp_ or xp_ prefix) of MSSQL.

Anything that the application user has access to is available in a SQL Injection attack. If you run your application as sa, or another admin account, all of them could potentially be invoked. As could any statement like "drop database msdb", or "create backdoor login..."

To prevent SQL Injection you would need to lock down all your tables, allow access only through direct calls to stored procedures, and ensure that none of your stored procedures issue dynamic sql statements with concatenated strings created from either procedure parameters or character-based data columns.

Thanks to everyone that has sent an answer.
Many thanks,

I wanted to ask blindman what do you mean by direct call of SPs?

What do you mean by direct call to Sp?