> Message: 7 > Date: Thu, 16 Apr 2009 22:30:09 +0100 > From: Paul Hill <paulroberth...@gmail.com> > Subject: Re: String With Apostrophes, etc Into MySql > To: profoxt...@leafe.com > Message-ID: > <17cad13c0904161430y36a2a76fpdd2aff44c5ca2...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > On Thu, Apr 16, 2009 at 8:59 PM, Mike yearwood <mike.yearw...@gmail.com> > wrote: >>> From: Stephen Russell <srussell...@gmail.com> >>>> Mike yearwood wrote: >>> Second Q here is if injection is impossible if you use params? >>> >>> The answer to that is NO. ?Is it harder to achieve success in >>> injection attacks? ?Much harder but there are vulnerabilities. ?That >>> param is read and stored to be used later on in the code, so if your >>> hack works to make the system unstable your second hack could inject >>> rights to give some one or something to be used later. ? ?Real hard to >>> determine if they work. >> >> Please demonstrate. Parameters eliminate attacks. If a param is stored >> in a table and a programmer concatenates that param into a new SQL >> even that injection is prevented via parameterization. Queries don't >> execute the contents of the fields so stored "injection" params >> wouldn't cause SQL to do anything. > > CREATE PROCEDURE do_stuff > @param1 varchar(40), > AS > EXEC (@param1) > GO > > ? > > -- > Paul
Paul. That is not a SQL Injection Attack. SQL Injection occurs when a user input is concatenated / injected into a existing SQL command. http://en.wikipedia.org/wiki/SQL_injection Your example does prove that stored procedures are not necessarily bullet proof alternatives to dynamic ad-hoc parameterized sql. ;) Mike Yearwood Microsoft MVP 2008 - Visual FoxPro _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/38cc26d30904170907q1f0b72b3ja4e50a7aed84d...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
