Announcement

Collapse
No announcement yet.

Do SQL Stored Procedures prevent SQL Injection?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Do SQL Stored Procedures prevent SQL Injection?

    I have a stored procedure EXEC AUHENTICATE_LOGON that has two parameters - USER and PASSHASH.

    It sure would look to me like you can't do SQL Injection on something like that??
    No dynamic SQL just a simple lookup....

    I figure PASSHASH is automatically "sanitized" by the hashing function.

    USER - I currently don't sanitize if at all - except escape single quotation marks.

    On one hand you hear every guy on the Internet talking about SQL Injection.
    On the other hand you have the simplicity of a stored procedure with fixed data types and fields etc....

    Thoughts?

  • #2
    Without seeing the content of the SP you are EXECuting, it's impossible to be sure, but it's unlikely that something in such an SP would be prone to SQL injection.

    Of course, all bets are off if the SP contains something like this

    EXECUTE CONCAT ('SELECT " , @USER , ' FROM tblUsers Where PassHash = "' , @PASSHASH , '"')

    Comment


    • #3
      Thanks Stuart!
      Simple stuff like this:

      Code:
      USE [Cerruti_Home]
      GO
      
      SET ANSI_NULLS ON
      GO
      SET QUOTED_IDENTIFIER ON
      GO
      
      ALTER PROCEDURE [dbo].[AUHENTICATE_LOGON]
      
      @user_name varchar(20),
      @password  varchar(20)
      
      AS
      BEGIN
      
      SELECT
      
          Unique_ID,
          CH_Username,
          CH_Password,
          CH_GUID
      
      FROM Username_Password
      
       WHERE @user_name = [CH_Username] AND @password = [CH_Password]
      
      END

      Comment


      • #4
        Originally posted by David Clarke View Post
        Thanks Stuart!
        Simple stuff like this:
        That should be OK, It doesn't matter what is in @user_name and @password, they will just be treated as strings in the WHERE clause, they will not be evaluated in any way,






        Comment


        • #5
          Thanks again Stuart!

          Comment

          Working...
          X