Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
goematix
Starting Member
3 Posts |
 Posted - 2008-07-23 : 20:26:04
|
| Hi, I am trying to prevent a SQL injection attack. It is using the following stored procedures. Can anyone help me secure these procedures. Thanks.CREATE Procedure proc_listAdminListDiscs @accID intAsSELECT adc_id, adc_discount, adc_descr, dt_descr AS d_descrFROM tbl_tmp_accomDiscounts INNER JOIN tbl_discount_types ON tbl_tmp_accomDiscounts.adc_discount=tbl_discount_types.dt_idWHERE adc_accom=@accIDORDER BY adc_rank ASCGO_ _ _ _ _ _ _ _ _ _ CREATE Procedure proc_listAdminListDiscTypes @accID intAsSELECT dt_id AS d_id, dt_descr AS d_descrFROM tbl_discount_types dWHERE NOT EXISTS (SELECT adc_id FROM tbl_tmp_accomDiscounts tad WHERE tad.adc_discount=d.dt_id AND tad.adc_accom=@accID)GO_ _ _ _ __ _ _ _ _CREATE Procedure proc_addAdminListDiscount @accID int, @discountID int, @details varChar(255)AsDECLARE @rank intSELECT @rank = MAX(adc_rank) FROM tbl_tmp_accomDiscounts WHERE adc_accom = @accIDIF @rank IS NULL SELECT @rank = 0SELECT @rank = @rank + 1INSERT INTO tbl_tmp_accomDiscounts (adc_accom, adc_discount, adc_descr, adc_rank)VALUES (@accID, @discountID, @details, @rank)GO_ _ _ _ _ _ _ _ _ |
|
|
blindman
Master Smack Fu Yak Hacker
2365 Posts |
Posted - 2008-07-23 : 21:10:45
|
| Those procedures are not vulnerable to SQL injection attacks.e4 d5 xd5 Nf6 |
 |
|
|
goematix
Starting Member
3 Posts |
Posted - 2008-07-24 : 00:02:00
|
| Ok, thanks. Is this code vunerable to attack set rs = cn.execute("proc_listAdminListDiscTypes " & accID)set rs = cn.execute("proc_deleteAdminListDiscount " & itemID) |
|
|
|
blindman
Master Smack Fu Yak Hacker
2365 Posts |
Posted - 2008-07-24 : 00:57:13
|
| Yes. This code concatenates the contents of a variable into an SQL statement and then executes it.You will need to scrub and verify the data in accID and itemID before sending the statement to the server.e4 d5 xd5 Nf6 |
|
|
|
goematix
Starting Member
3 Posts |
Posted - 2008-07-24 : 01:17:00
|
| I'm a bit new at this. Can you please suggest and alternative to set rs = cn.execute("proc_deleteAdminListDiscount " & itemID). Thanks. |
|
|
|
pootle_flump
1064 Posts |
Posted - 2008-07-24 : 05:42:23
|
| Use parameters in your client code. I've just googled - something like the final example here:http://authors.aspalliance.com/stevesmith/articles/sprocs.asp |
|
|
|
|
|
|
|
|
SQL Injection Question