Announcement

Collapse
No announcement yet.

Do SQL Stored Procedures prevent SQL Injection?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Do SQL Stored Procedures prevent SQL Injection?

    I have a stored procedure EXEC AUHENTICATE_LOGON that has two parameters - USER and PASSHASH.

    It sure would look to me like you can't do SQL Injection on something like that??
    No dynamic SQL just a simple lookup....

    I figure PASSHASH is automatically "sanitized" by the hashing function.

    USER - I currently don't sanitize if at all - except escape single quotation marks.

    On one hand you hear every guy on the Internet talking about SQL Injection.
    On the other hand you have the simplicity of a stored procedure with fixed data types and fields etc....

    Thoughts?
    Tags: None
  • #2
    Without seeing the content of the SP you are EXECuting, it's impossible to be sure, but it's unlikely that something in such an SP would be prone to SQL injection.

    Of course, all bets are off if the SP contains something like this

    EXECUTE CONCAT ('SELECT " , @USER , ' FROM tblUsers Where PassHash = "' , @PASSHASH , '"')

    Comment

    • #3
      Thanks Stuart!
      Simple stuff like this:

      Code:
      USE [Cerruti_Home]
GO

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO

ALTER PROCEDURE [dbo].[AUHENTICATE_LOGON]

@user_name varchar(20),
@password  varchar(20)

AS
BEGIN

SELECT

    Unique_ID,
    CH_Username,
    CH_Password,
    CH_GUID

FROM Username_Password

 WHERE @user_name = [CH_Username] AND @password = [CH_Password]

END

      Comment

      • #4
        Originally posted by David Clarke View Post
        Thanks Stuart!
        Simple stuff like this:
        That should be OK, It doesn't matter what is in @user_name and @password, they will just be treated as strings in the WHERE clause, they will not be evaluated in any way,






        Comment

        • #5
          Thanks again Stuart!

          Comment

          Previous template Next
          Working...
          X

          We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, and to analyze site activity. For additional details, refer to our Privacy Policy.

          By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

          I Agree