Please start any new threads on our new site at We've got lots of great SQL Server experts to answer whatever question you can come up with.

Our new SQL Server Forums are live! Come on over! We've restricted the ability to create new threads on these forums.

SQL Server Forums
Profile | Active Topics | Members | Search | Forum FAQ
Save Password
Forgot your Password?

 All Forums
 SQL Server 2005 Forums
 SQL Server Administration (2005)
 SQL Keeps gatting hacked
 Reply to Topic
 Printer Friendly
Previous Page
Author Previous Topic Topic Next Topic
Page: of 2

Flowing Fount of Yak Knowledge

South Africa
4507 Posts

Posted - 05/14/2008 :  08:03:58  Show Profile  Visit GilaMonster's Homepage  Reply with Quote
Byapti, I disagree with you on one point - "Both store procedure and PreparedStatement are precompiled and
hence impossible to penetrate."

Stored procedures are not impossible to penetrate, and precompilation has nothing to do with it. It's parameterisation that's the key point. See this example

ALTER PROCEDURE Vulnerable @TableToQuery VARCHAR(500)
SET @sSQL = 'SELECT * FROM ' + @TableToQuery

EXEC Vulnerable 'sys.tables; drop table Users -- '

Regardng the discovery of schemas, error messages are nice to have, but not essential. Any screen that shows a list of data and is vulnerable to injection can be used to determine the schema. It just takes a lot more patience if the error messages aren't shown.

Gail Shaw

Edited by - GilaMonster on 05/14/2008 08:05:28
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Previous Page
 Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.02 seconds. Powered By: Snitz Forums 2000