Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2005 Forums
 Transact-SQL (2005)
 dynamic sql and injection

Author  Topic 

nice123ej
Starting Member

48 Posts
Posted - 2009-11-23 : 22:43:07
Hi
I am using dynamix sql EXECUTE('.....')
to avoid injection i stopped users from using words like
SELECT, INSERT, DELETE, UPDATE, DROP, CREATE, ALTER, GRANT.

is this enough?

can user still user EXECUTE inside the EXECUTE
is there any way i can force sql script to do 1 statement on 1 table only like (this EXECUTE will only UPDATE table myTable)

thanks

tkizer
Almighty SQL Goddess

38200 Posts
Posted - 2009-11-23 : 23:36:43
To avoid SQL injection, you just need to use parameterized queries from within the application. You do not need to restrict keywords.

Tara Kizer
Microsoft MVP for Windows Server System - SQL Server
http://weblogs.sqlteam.com/tarad/

Subscribe to my blog

"Let's begin with the premise that everything you've done up until this point is wrong."
Go to Top of Page

nice123ej
Starting Member

48 Posts
Posted - 2009-11-24 : 00:09:57
parameterized query does not fit my scenarios
I built UPDATE statment in stored procedure, it is complex update.
anyway, will avoiding these SELECT, INSERT, DELETE, UPDATE, DROP, CREATE, ALTER, GRANT will keep me safe?
i was thinking what if user used something like EXEC(REPLACE('D:E:L:E:T:E FROM myTable', ':', '')) in this case i wont be able to catch it :(

any idea how to protect my tables?
Go to Top of Page

tkizer
Almighty SQL Goddess

38200 Posts
Posted - 2009-11-24 : 00:10:37
Please tell us why parameterized queries can't be used. Show us your stored procedure for starters.

Tara Kizer
Microsoft MVP for Windows Server System - SQL Server
http://weblogs.sqlteam.com/tarad/

Subscribe to my blog

"Let's begin with the premise that everything you've done up until this point is wrong."
Go to Top of Page

nice123ej
Starting Member

48 Posts
Posted - 2009-11-24 : 00:35:29
In the system we allow user to creat thier own fields
so in the update statement, column name as actually records in another table and column values are another records


UserCustomTable

RecName RecValue
--------- --------
CarReg 'ABC 123'
CarYear 2007
CarExpiry CarYear + 1


so I create variable table @myTable that has columns from UserCustomTable, and using cursor i build the update statement
to get the final results
in the end my update will look like this

UPDATE @myTable
SET
CarReg = 'ABC 123',
CarYear = 2007,
CarExpiry = CarYear + 1

so if user typed something like DELETE FROM UsersTable instead of 'ABC 123' then a big trouble.
Go to Top of Page

tkizer
Almighty SQL Goddess

38200 Posts
Posted - 2009-11-24 : 00:55:26
You need to fix your database design then. The only way to prevent sql injection truly is to use parameterized queries for all data access.

Tara Kizer
Microsoft MVP for Windows Server System - SQL Server
http://weblogs.sqlteam.com/tarad/

Subscribe to my blog

"Let's begin with the premise that everything you've done up until this point is wrong."
Go to Top of Page

nice123ej
Starting Member

48 Posts
Posted - 2009-11-24 : 17:39:37
Thanks for the advice. we will change the design in the next project.
for now does anyone know any way i can protect the current design database from SQL injection?
Thanks
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site