SQL injection and parameterized stored procedures

A

Aaron Bertrand [MVP]

Is SQL injection an issue with SP's?

As long as you replace ' with '' then you *should* be fine...

Some will argue that using a command object (which forces strong typing of
parameters, among other things) will protect you "better" but I don't
necessarily agree that it is one of the command object's strengths.

A
 
J

Jeff Cochran

Is SQL injection an issue with SP's?
Click to expand...

Sure. Anytime a SP accepts a parameter and the parameter can be
entered as an injection routine, it's a factor. The normal SQL
injection fixes work as well, escaping single quotes, etc.

Jeff
 
S

Stan Prosedur

Thanks to the both of you.

:)


Jeff Cochran said:
Sure. Anytime a SP accepts a parameter and the parameter can be
entered as an injection routine, it's a factor. The normal SQL
injection fixes work as well, escaping single quotes, etc.

Jeff
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Crud operations VS stored procedures 1
SQL Injection - Stored Procedures 25
SQL Injection detection 1
sql injection 11
SQL Injection 15
Prevent SQL injection error 3
ATTN: Bob Barrows - Execute Stored Procedure question 1
dependency injection and loggers 14

Members online

No members online now.
Total: 29 (members: 0, guests: 29)
Robots: 652

Forum statistics

Threads
473,769
Messages
2,569,581
Members
45,057
Latest member
KetoBeezACVGummies

Latest Threads

Top