| Author |
Topic |
|
von
Starting Member
7 Posts |
 Posted - 2006-10-26 : 14:48:19
|
I'm confused on just how bad Dynamic SQL is and how if it prevents SQL Injection attacks? Could some one elaborate on this or point me in the right direction?I've read Part 1 [url]http://www.sqlteam.com/item.asp?ItemID=4599[/url] and Part 2 [url]http://www.sqlteam.com/item.asp?ItemID=4619[/url] of the articles Introduction to Dynamic SQL but there is no mention of SQL Injection and if Dynamic SQL leaves you vulnerable to it.Without using Dynamic SQL, how would you write the following stored procedure and keep it safe from SQL Injection attacks?Also Keep in mind that all 3 parameters could be NULL which would result in all rows being returned where X1 = 1.CREATE PROCEDURE My.SP_ConvertToDynamicSQL( @InClause VARCHAR(200) = NULL, @DateFrom DATETIME = NULL, @DateTo DATETIME = NULL)ASSELECT @SQL = @SQL + 'SELECT * FROM [X]'SELECT @SQL = @SQL + ' WHERE [X].[X1] = 1'IF (@DateFrom IS NOT NULL)BEGIN SELECT @SQL = @SQL + ' AND [ColumnA] IN (' + @InClause+ ')'ENDIF (@DateFrom IS NOT NULL)BEGIN SELECT @SQL = @SQL + ' AND [ColumnB] BETWEEN ''' + CONVERT(char(10), @DateFrom, 101) + ''' AND ''' + CONVERT(char(10), @DateTo, 101) + ''''ENDEXEC(@SQL)RETURN |
|
|
Page47
Master Smack Fu Yak Hacker
2878 Posts |
Posted - 2006-10-26 : 14:59:45
|
| It depends on the intent of your proc ... as best I can tell the proc you have posted here 1) won't compile and 2) has logic errors.If you want to prediate on dates that may or may not exist at batch time you couldselect *from tablewhere (@DateFrom is null or @DateTo is null) or((@DateFrom is not null and @DateTo is not null) andDateColumn between @DateFrom and @DateTo)Jay White |
 |
|
|
Page47
Master Smack Fu Yak Hacker
2878 Posts |
Posted - 2006-10-26 : 15:01:30
|
| or ... depending on your business rules something as simple asselect *from tabwhere DateColumn between isnull(@DateFrom, DateColumn) and isnull(@DateTo, DateColumn)Jay White |
|
|
|
von
Starting Member
7 Posts |
Posted - 2006-10-26 : 15:12:32
|
| Jay,I won't debate you on whether or not the proc has logic errors in it b/c i wrote it by hand in the textbox.I'm trying to figure out if by using Dynamic SQL I am opening myself up to XXS or SQL Injection attacks.I could always do a bunch of "AND MyDate BETWEEN COALESCE(@DateFrom, MyDate) AND COALESCE(@DateTo, MyDate)" or ISNULL(..) in my statements but is this always the most efficient way to do things?In a SELECT statement with say 20-30 where conditions I'd say the COALESCE and ISNULL functions would be less efficient than narrowing the 20-30 where conditions down to say 3-4 by using the "IF [@Parm] IS NOT NULL..." which is why I'm leaning more towards dynamic sql. Also, I have a lot of values being passed in formated to be used in IN clauses.Does Exec sp_executesql help eliminate SQL Inejction?I appreciate your help,von |
|
|
|
von
Starting Member
7 Posts |
Posted - 2006-10-26 : 15:37:26
|
| It looks like I may have found the answer to my problem.[url]http://dotnetjunkies.com/WebLog/richard.dudley/archive/2004/08/25/23293.aspx[/url]It appears by using sp_executesql correctly you can still use dynamic sql and protect yourself against sql injection.thanks,von |
|
|
|
snSQL
Master Smack Fu Yak Hacker
1837 Posts |
Posted - 2006-10-26 : 16:19:48
|
| The point in your example is that the data parameters won't cause vulnerability to SQL Injection, but the @InClause will. If you pass dates to a stored proc as datetime values then they cannot be used for SQL Injection because you cannot put a malformed string in a date. However when you take a string and concatenate it into a a SQL statement then you are opening to attack because that string can be malformed.When you use sp_executesql you declare each string as the value for a specific parameter (it is not just concatenated into the SQL statement and executed). That's why you are safe. |
|
|
|
Page47
Master Smack Fu Yak Hacker
2878 Posts |
Posted - 2006-10-27 : 08:34:38
|
quote:
Originally posted by von
Jay,...I could always do a bunch of "AND MyDate BETWEEN COALESCE(@DateFrom, MyDate) AND COALESCE(@DateTo, MyDate)" or ISNULL(..) in my statements but is this always the most efficient way to do things?In a SELECT statement with say 20-30 where conditions I'd say the COALESCE and ISNULL functions would be less efficient than narrowing the 20-30 where conditions down to say 3-4 by using the "IF [@Parm] IS NOT NULL..." which is why I'm leaning more towards dynamic sql. Also, I have a lot of values being passed in formated to be used in IN clauses....
Based on my experience, I would say quite often you are wrong (EDIT: ok, I don't me you say you are quite often wrong, but I mean to say that quite often the Dynamic SQL query underperforms...). I typically do all I can to avoid Dynamic SQL and performance (cached query plans) is one.I recommend you do what I always do when I am suspect of performance: write it a couple ways, test and determine what is best. I'd be interested to read your findings.Jay White |
|
|
|
pootle_flump
1064 Posts |
Posted - 2006-10-27 : 10:57:20
|
Interstingly dynamic SQL can be used to optimise queries and improve performance:http://www.sqljunkies.com/WebLog/amachanic/articles/StoredProcedureCaching.aspxquote:
Originally posted by Page47I recommend you do what I always do when I am suspect of performance: write it a couple ways, test and determine what is best. I'd be interested to read your findings.
I would certainly do this first though every time. I was referred to the link I posted by Blindman - I have not had need of it very often but it has been extremely effective when required. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-10-28 : 02:55:57
|
"If you pass dates to a stored proc as datetime values then they cannot be used for SQL Injection because you cannot put a malformed string in a date"I don't agree with that (but of course if the query is parameterized, rather than Dynamic SQL from the application, then you would be safe for that reason). An Sproc with a parameter of "datetime" can happily be given a string representation of a date, which can have SQL Injection:CREATE PROCEDURE SP_ConvertToDynamicSQL( @DateFrom DATETIME = NULL)AS SELECT [DateFrom] = @DateFromGO-- Simulate user's data entry capture from a web form -- and SQL generated dynamically in the application, sayDECLARE @DateFrom varchar(8000), @strSQL varchar(8000)SET @DateFrom = '20060101'';SELECT [name] FROM syobjects WHERE type=''U''--'SET @strSQL = 'EXEC SP_ConvertToDynamicSQL @DateFrom = ''' + @DateFrom + ''''SELECT [strSQL] = @strSQLEXEC (@strSQL)GODROP PROCEDURE SP_ConvertToDynamicSQL Kristen |
|
|
|
|
Dynamic SQL and SQL Injection...