Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
scuzymoto
Starting Member
17 Posts |
 Posted - 2010-03-30 : 15:40:23
|
| Are there other ways besides dynamic sql blocks in stored procedures where parameterized data being passed from a web application could become a source of sql injection? Microsoft books online states that parameterized data is still vulnerable but does not give any examples other than dynamic sql. Any other tricks out there I should be guarding against - when it comes to parameterized queries? |
|
|
Kristen
Test
22859 Posts |
Posted - 2010-03-31 : 04:17:49
|
| Passing data to an "external" source - command prompt; COM object; etc.User putting <SCRIPT> stuff into Notes fields that are displayed on screen and become HTML injection - I can't think how this could be a SQL injection risk offhand, but I expect with enough knowledge of your system then JS could use AJAX type actions to manipulate records. This is likely to be higher-risk if the parameters used in your GET/POST provide a full story board of what is going on ... hidden fields for UserID, Action etc. client side would enable a hacker to try different UserID's to piggy-back on their permissions (of course UserID should be a Session Object, not a round-trip client object, but its the sort of loop-hole that can creep in)So ... in general ... no, I don't think Parametrised called to SQL (SProc or sp_ExecuteSQL) are a risk if there is no dynamic SQL in the Sproc, or if the SProc only does dynamic SQL using sp_ExecuteSQL - and only uses parameters in the Command part, of course! |
 |
|
|
madhivanan
Premature Yak Congratulator
22864 Posts |
Posted - 2010-03-31 : 05:04:36
|
| Make sure you read this fullywww.sommarskog.se/dynamic_sqlMadhivananFailing to plan is Planning to fail |
|
|
|
LoztInSpace
Aged Yak Warrior
940 Posts |
Posted - 2010-03-31 : 07:43:45
|
| The main problem is solved by parameterised queries. You can get some DoS type hacks when you use LIKE as the user can put % or _ characters into the string. This can cause indexes to be ignored where you might expect them to be used.I you have to use LIKE then escape these characters and add the wildcards in the SP yourself.It is not quite the same thing as injection but something to bear in mind.It's a real shame there is no paramatarised wildcard for LIKE as this is about the only gap. |
|
|
|
|
|
|
Injection Attack on Parameterized Data