View Single Post
03-13-2008, 04:46 PM
#4
RickBisset is offline RickBisset
Status: I'm new around here
Join date: Mar 2008
Location:
Expertise:
Software:
 
Posts: 9
iTrader: 0 / 0%
 

RickBisset is on a distinguished road

  Old

The mistake which a lot of developers make is thinking parametized stored procedures mitigate sql injection 100% of the time. However, injection is still possible with parameters when dynamic SQL is used in the stored procedure:

ie.

create proc VulnerableDynamicSQL(@userName nvarchar(25))
as
declare @sql nvarchar(255)
set @sql = 'select * from users where UserName = '''
+ @userName + ''''
exec sp_executesql @sql

See http://dotnetjunkies.com/WebLog/chri.../13/28370.aspx

Be warned

Richard Bisset
www.NetworkFreelance.co.uk - PR and Marketing Contracts
www.ProvidentHomeBuyers.co.uk - Quick House Purchases
www.CommercialLeaseBack.co.uk - Property Buyers