sql server 2008 - Is this stored procedure vulnerable to SQL Injection? -

May 15, 2012

this stored procedure check username , password , return 1 if credentials matches else 0.

create procedure usp_checkpermisssions      @username nvarchar(50),     @password nvarchar(50) begin     set nocount on;      if exists( select 1 dbo.users username=@username , password=@password)      return 1     else      return 0 end go

this sample stored procedure. want learn sql injection techniques prevent code not injected.

assume inputs not sanitized in front end.

i know if i'm using dynamic query in stored procedure or defined queries in front end sql injection techniques work.

not: input's passed through front end.

my question in words

can injection on query? if yes, how?

sql injections happen in stored procedure. happen need create query dynamically in procedure.

it's code calling stored procedure subject sql injection. when create query concatenating values without encoding them correctly, sql injection used break out of value , inject code query.

example of dangerous code:

string username = request.form("username"); string password = request.form("password");  int ok; using (sqlconnection conn = new sqlconnection(connstr)){    // parameters not encoded correctly, totally open sql injection!   string query = "usp_checkpermissions '" + username + "', '" + password + "'";    using (sqlcommand cmd = new sqlcommand(query, conn)) {     cmd.commandtype = commandtype.procedure;     ok = cmd.executescalar();   } }

if log in password ';drop table users;--, bad...

Search This Blog

Parth Code

sql server 2008 - Is this stored procedure vulnerable to SQL Injection? -

Comments

Post a Comment

Popular posts from this blog

c# - WPF Converters DLL - Failed to Add Reference -

sql server - SQL Query get records between 10pm to 6am -

c# - Operator '==' incompatible with operand types 'Guid' and 'Guid' using DynamicExpression.ParseLambda<T, bool> -