SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2002
    Location
    Australia
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is this use of stored procs vulnerable to SQL Injections?

    Hi gurus,

    A collegue developer was criticising a code practice that i have been using, saying that it is vulnerable to SQL injections:

    If i excecute a stored procedure like this within my ASP code, is this make my the sql query vulnerable to injections?

    conn.Execute("exec pTopCategories " & SupplierID)

    Thank you in advance.

  2. #2
    SitePoint Guru SSJ's Avatar
    Join Date
    Jan 2007
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is not vulnerable but you have to filter the SupplierID to prevent SQL Injection..

    -SSJ

  3. #3
    SitePoint Enthusiast
    Join Date
    Sep 2002
    Location
    Australia
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah that's what i thought too. But the collegue is saying that i need to use the command object, which actually requires alot more code.

    I have been trying to find evidence to support my argument on the web, but it seems like my approach to calling stored procs is very uncommon, and not documented much.

    What do you guys think?

  4. #4
    SitePoint Enthusiast
    Join Date
    Mar 2006
    Location
    United Kingdom
    Posts
    49
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Have a look at this link and try to see if your code is vulnerable for sql injections by running a few tests, this way you'll know for sure:

    http://en.wikipedia.org/wiki/SQL_injection

  5. #5
    Original Gangster silver trophy Thing's Avatar
    Join Date
    Oct 2000
    Location
    Philadelphia, PA
    Posts
    4,708
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    SSJ is right, the only thing that can make your stored proc vulnerable to SQL Injection is not stripping out special characters from your variable SupplierID.

  6. #6
    SitePoint Enthusiast
    Join Date
    Sep 2002
    Location
    Australia
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks guys. Oh i see so if I did this conn.Execute("exec pTopCategories " & cLong(SupplierID))

    then it would be alright?

    From what i have been reading up, it doesn't look like you even need to "use stored procs and objcommand add params method" (which is what my collegue is saying i must do) to prevent injections:
    http://www.4guysfromrolla.com/webtech/061902-1.shtml

    All one needs is to filter the types e.g:
    Replace(Request.Form("txtUsername"), "'", "''") for strings and using CLong for integers.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •