SQL Server Injection Attacks

  • I've got a couple of ASP.NET projects in the pipeline where users will have the ability to add free form comments. I've been reading up on precautions to take to avoid SQL SIA's, however when you're dealing with free form remarks is it even possible to ensure that an attack can't occur?

    I've read that parametrized queries and stored procedures go a very long way in preventing a SIA, however even if I pass everything through a stored procedure in and out of the database, could a SIA still occur?

  • It depends on how you implement your calls to the server, and how you build your stored procedures.

    For example, if you build an SQL string in ASP.NET, and then execute it, that's the same as not using a proc in the first place.

    On the other hand, if the comments are fed directly to a proc as a parameter value, then there really isn't a way to get them to execute as an injection attack. Building and executing strings is really where SQL injection comes into play.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

  • I had already planned on shifting everything to stored procedures so it sounds like I'm on the right track. Even though its for an intranet, the idea is not to make any presumptions.

  • Sound judgement, there.

    As Dilbert's Pointy-Haired-Boss once said, "100% of employee sabotage is by employees".

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply