Page 1 of 4 123 ... LastLast
Results 1 to 15 of 53
  1. #1
    Join Date
    Jun 2008
    Posts
    2

    Unanswered: if you only use stored procedures can someone still inject sql in a hack

    if you only use stored procedures can someone still inject sql in a hack

  2. #2
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,912
    Yes

  3. #3
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,912
    ...and it is also possible to never use stored procedures and be invulnerable to SQL injection.

  4. #4
    Join Date
    Jun 2003
    Location
    Ohio
    Posts
    12,592
    Provided Answers: 1
    No. Not if the stored procedure is written correctly.
    If it's not practically useful, then it's practically useless.

    blindman
    www.chess.com: "sqlblindman"
    www.LobsterShot.blogspot.com

  5. #5
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,912
    Quote Originally Posted by blindman
    No. Not if the stored procedure is written correctly.
    An application executing properly written stored procedures can still be vulnerable to SQL Injection.

  6. #6
    Join Date
    Jan 2007
    Location
    UK
    Posts
    11,434
    Provided Answers: 10
    Umm, come again?
    George
    Home | Blog

  7. #7
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,799
    Provided Answers: 11
    If you do not use command objects, you can still potentially be hacked. if you use stored procedures, but simply concatenate the stored procedure name, with the parameters, you can be hacked. They may not be able to extract data, but they can update data.

  8. #8
    Join Date
    Jun 2003
    Location
    Ohio
    Posts
    12,592
    Provided Answers: 1
    Quote Originally Posted by pootle flump
    An application executing properly written stored procedures can still be vulnerable to SQL Injection.
    Only if other holes are left open. But they won't hack it through the sproc.
    If it's not practically useful, then it's practically useless.

    blindman
    www.chess.com: "sqlblindman"
    www.LobsterShot.blogspot.com

  9. #9
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,799
    Provided Answers: 11
    I remember rejecting a stored procedure that went something like this:
    Code:
    create procedure LastProcYouWillEverNeed (@sql nvarchar(4000))
    as
    exec (@sql)
    go
    If developers didn't try this sort of crap, I would not have to make (and enforce) so danged many rules.

  10. #10
    Join Date
    Sep 2005
    Posts
    161
    Quote Originally Posted by MCrowley
    I remember rejecting a stored procedure that went something like this:
    Code:
    create procedure LastProcYouWillEverNeed (@sql nvarchar(4000))
    as
    exec (@sql)
    go
    If developers didn't try this sort of crap, I would not have to make (and enforce) so danged many rules.
    If developers didn't try this sort of crap, there would be a lower demand for DBA's

  11. #11
    Join Date
    Nov 2004
    Location
    on the wrong server
    Posts
    8,835
    Provided Answers: 6
    Quote Originally Posted by MCrowley
    I remember rejecting a stored procedure that went something like this:
    Code:
    create procedure LastProcYouWillEverNeed (@sql nvarchar(4000))
    as
    exec (@sql)
    go
    If developers didn't try this sort of crap, I would not have to make (and enforce) so danged many rules.

    why? it is so flexible. .
    “If one brings so much courage to this world the world has to kill them or break them, so of course it kills them. The world breaks every one and afterward many are strong at the broken places. But those that will not break it kills. It kills the very good and the very gentle and the very brave impartially. If you are none of these you can be sure it will kill you too but there will be no special hurry.” Earnest Hemingway, A Farewell To Arms.

  12. #12
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,912
    Quote Originally Posted by MCrowley
    If you do not use command objects, you can still potentially be hacked.
    Even with command objects you can!

    But yes - I know your point

  13. #13
    Join Date
    May 2004
    Location
    Seattle
    Posts
    1,313
    if you are concatenating strings to build up a sql statement and then executing it, or executing input string directly (like in mcrowley's example) you are vulnerable.

  14. #14
    Join Date
    Jun 2008
    Posts
    3
    Quote Originally Posted by pootle flump
    Even with command objects you can!

    But yes - I know your point
    Can you please explain it further?

  15. #15
    Join Date
    May 2004
    Location
    Seattle
    Posts
    1,313
    because if someone is calling a proc like mcrowley's example above with a command object, they are vulnerable.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •