Hi Christof Sorry for taking so long to get back to you. I've been ill and subsequently quite busy.
Message: 2 Date: Thu, 8 Jun 2006 07:09:21 +0200 From: "Christof Wollenhaupt" <[EMAIL PROTECTED]> Subject: RE: [NF] To SP or not to SP Stored Procedures that is To: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain;charset="US-ASCII" Hi Mike, > I would love to see someone demonstrate a SQL Injection Attack with parameterized ad-hoc SQL! All you need is a parameterized query that somewhere calls sp_executesql or uses EXEC. Since those are mostly used in stored procedures, there's obviously still a possibility to suffer from a SQL injection attack even with stored procedures. It's just harder.
What I mean is, if my application provides an SQL string like this: "select * from table where " and I provide the user with a UI to select field names and enter values field = "uservalue" and I parameterize the values: cField = "uservalue" The resulting SQL is: select * from table where field = @cField This is called ad-hoc parameterized SQL. The query does not reference SP_ExecuteSQL or EXEC. When my application tells SQL to execute that with VFP's SQLExec(), the contents of cField are not executed as they would be if the command were submitted like this: [select * from table where field = "uservalue"] The contents of cField are passed to SP_ExecuteSQL as parameters just as other parameters are passed to other SPs. Since it is a fact that SP_ExecuteSQL does not execute the parameters, but merely uses the values for comparisons, there is no way a user can cause an injection attack. If a programmer were to make their own SP and concatenate the values into a SQL string, such SPs could still be subject to SQL Injection Attacks. So my point is that ad-hoc parameterized SQL is safe as far as I can tell. If I'm wrong please, Please, PLEASE demonstrate by putting SQL Injection code into a parameter and making it execute. Thanks! _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
