Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
herbjorn
Starting Member
8 Posts |
 Posted - 2007-01-10 : 08:27:26
|
| Hi,I have heard that there might be some risks for SQL injection when using dynamic SQL.Where can I read more about this?sincerely Herbjörn |
|
|
ditch
Master Smack Fu Yak Hacker
1466 Posts |
Posted - 2007-01-10 : 08:30:40
|
http://www.google.com/search?hl=en&q=%22SQL+Injection%22&btnG=Google+SearchDuane.  |
 |
|
|
harsh_athalye
Master Smack Fu Yak Hacker
5581 Posts |
Posted - 2007-01-10 : 09:08:17
|
| If you want to take a look at live demonstration, see this:[url]http://youtube.com/watch?v=MJNJjh4jORY[/url]Harsh AthalyeIndia."The IMPOSSIBLE is often UNTRIED" |
|
|
|
herbjorn
Starting Member
8 Posts |
Posted - 2007-01-11 : 02:41:58
|
| Hi,Thanks, but that was not what I was looking for. I'm interested in attacks that can be used against DYNAMIC SQL, where you build a slq command in a varchar variable in a stored procedure and execute it using exec @MyVarialble.For more about dynamic sql see http://www.sqlteam.com/item.asp?ItemID=4599sincerely Herbjörn |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2007-01-11 : 03:11:48
|
| But that's exactly how that attack succeeds, isn't it?Well, it may be in the string handling of some application language, rather than SQL Server's string handling, but the Cause and Effect is the sameKristen |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
|
|
Kristen
Test
22859 Posts |
Posted - 2007-01-11 : 03:44:50
|
| "Always use COMMAND object"Or, from SQL, sp_ExecuteSQL (with some care) rather than exec @MyVarialble.Kristen |
|
|
|
|
|
|
|
|
Dynamic SQL and SQL injection