Hi Stephen
Message: 8 Date: Thu, 24 Aug 2006 13:13:25 -0700 From: [EMAIL PROTECTED] Subject: RE: ProfoxTech Digest, Vol 39, Issue 93 To: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]>Content-Type: TEXT/plain; CHARSET=US-ASCII > From: "Hal Kaplan" <[EMAIL PROTECTED]> > Date: Thu, August 24, 2006 12:57 pm > To: "ProFox Email List" <[email protected]> > => > => Anyone who blindly enters uncontrolled values into a > => SQL command is a complete moron. That form of injection was > => known and handled about a decade ago, when web pages were > => first used with databases. > => > => -- Ed Leafe > > Who said "Two most plentiful things on Earth are nitrogen and stupidity."? > > You are correct, sir. (To paraphrase a M$ ad) > I have seen more first mistakes in the login page :) Where you are talking both username & PW it seems that the mindset is to see if the User & pw are correct by getting the data back. I have seen one system where first 4 letters of username are used to pull similar data from db. System then iterates through looking for username and if found then checking the pw entered. So how do others protect themself from raw user input when SPs are not worthy?
The ultimate answer IMO is to create your SQL as a parameterized query. No stupid string scrubbing required, no possibility of SQL injection attacks and the performance is the same as with a stored procedure since SQL version 7 and up cache all execution plans for all queries including stored procedures. The "raw user input" no matter what it contains is sent to SQL Server as a parameter, therefore it is never executed, while the rest of the SQL command is. lcName = "raw user input" sqlexec(gnconnection,"select * from table where name = ?m.lcName") Your application builds the parameters and the SQL command, so it can put in group bys etc. _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
