Injection with paramaterized SP
-
We are looking at adding some full-text search functionality to a website, and want to make sure we appropriately protect against SQL injection and other issues. Our current plans are as follows:
- Creating a seperate table to be searched
- Search will be done with a SP, using paramaterized input, with no Dynamic SQL
- SP will be executed with an ID specific to that purpose - it will have no other access.
Am I missing anything? Do I need to scrub the search string since I'm not using dynamic SQL? Would moving this to a seperate database that had only the necessary table/SP/logon in it actually gain us anything? Thanks for any input.
-
How will you accomplish this without parameters passed in?
Curses & Blessings of Dynamic SQL
I wasn't born stupid - I had to study.
-
We will have parameters passed in - I had just planned on using them as follows:
CREATE PROCEDURE dbo.sp_test
@inputParm VARCHAR(100)
...
...
...
select column1, column2, ...
from tablename
where contains(searchfield, @inputParm)
Is that incorrect syntax? I have written plenty of stored procedures, but am new to full-text indices.
-
It should work as long as the table is full-text indexed.
Try the following for @inputParm on a table that you can blow away...
SET @inputpart = '; DROP TABLE YourTestTable'
See if that will trash your table. You may want to read the hyper-link from my first post... Others know much more of this than I do and can probably add further checks to ensure you do not get any SQL Injection errors...
I wasn't born stupid - I had to study.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply