SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 SQL Server 2005 Forums
 SQL Server Administration (2005)
 SQL Keeps gatting hacked		  New Topic  Reply to Topic
 Printer Friendly
Previous Page
Author Previous Topic Topic Next Topic
Page: of 2

GilaMonster
Flowing Fount of Yak Knowledge

South Africa
4507 Posts
Posted - 05/14/2008 :  08:03:58  Show Profile  Visit GilaMonster's Homepage  Reply with Quote
Byapti, I disagree with you on one point - "Both store procedure and PreparedStatement are precompiled and
hence impossible to penetrate."

Stored procedures are not impossible to penetrate, and precompilation has nothing to do with it. It's parameterisation that's the key point. See this example

ALTER PROCEDURE Vulnerable @TableToQuery VARCHAR(500)
AS
DECLARE @sSQL VARCHAR(2000)
SET @sSQL = 'SELECT * FROM ' + @TableToQuery
PRINT @sSQL
EXEC (@sSQL)
GO

EXEC Vulnerable 'sys.tables; drop table Users -- '



Regardng the discovery of schemas, error messages are nice to have, but not essential. Any screen that shows a list of data and is vulnerable to injection can be used to determine the schema. It just takes a lot more patience if the error messages aren't shown.

--
Gail Shaw
Edited by - GilaMonster on 05/14/2008 08:05:28
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Previous Page
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.05 seconds. Powered By: Snitz Forums 2000