Today's Posts Follow Us On Twitter! TFL Members on Twitter  
Forum search: Advanced Search  
Navigation
Marketplace
  Members Login:
Lost password?
  Forum Statistics:
Forum Members: 24,256
Total Threads: 106,569
Total Posts: 592,689
There are 87 users currently browsing (tf).
 
  Our Partners:
 
  TalkFreelance     Design and Development     Programming     .NET and MSSQL :

Prevent injection MSSql server

Thread title: Prevent injection MSSql server
Closed Thread    
    Thread tools Search this thread Display Modes  
10-16-2007, 09:07 AM
#1
ktsirig is offline ktsirig
Status: Junior Member
Join date: Oct 2005
Location:
Expertise:
Software:
 
Posts: 46
iTrader: 0 / 0%
 

ktsirig is on a distinguished road

  Old  Prevent injection MSSql server

Hello,
I wanted to ask if anyone knows of a way to prevent injection in an SQL SERVER 2005. I mean, is there any way to do all the blocking in the server and not have to escape each special character one-by-one?
For example, in PHP I used mysql_escape_string and automatically the string was OK to send to the database... Is there something similar in SQL Server?

Thank you

10-16-2007, 02:40 PM
#2
masfenix is offline masfenix
Status: Member
Join date: Mar 2006
Location: t.dot canaada
Expertise:
Software:
 
Posts: 182
iTrader: 1 / 100%
 

masfenix has a little shameless behaviour in the past

Send a message via AIM to masfenix

  Old

You havea number of options here.

I prefer using stored procedures.

But if infact you are using dynamic T-SQL, then use parameters.

for example:

Dim cmd as new SqlCommand
cmd.CommandType = Data.CommandType.Text
cmd.CommandText = "SELECT * FROM [bets] WHERE closed = @int"
cmd.Parameters.Add("@int", SqlDbType.SmallInt).Value = [some value].

next put a "validaterequest=true" on top of your page.

12-02-2007, 11:33 AM
#3
amf is offline amf
Status: Member
Join date: Jul 2007
Location: Atlanta, GA (USA)
Expertise:
Software:
 
Posts: 108
iTrader: 0 / 0%
 

amf is on a distinguished road

  Old

If you haven't found it yet, look into mssql_init/mssql_bind/mssql_execute, which uses parameters to pass values into stored procedures. This is considered "the way" to do things in PHP with MS SQL. Also note the complaints about PHP not working with SQL 2005 Express and how to fix it in the comments are of the PHP doc section on MSSQL.

03-13-2008, 04:46 PM
#4
RickBisset is offline RickBisset
Status: I'm new around here
Join date: Mar 2008
Location:
Expertise:
Software:
 
Posts: 9
iTrader: 0 / 0%
 

RickBisset is on a distinguished road

  Old

The mistake which a lot of developers make is thinking parametized stored procedures mitigate sql injection 100% of the time. However, injection is still possible with parameters when dynamic SQL is used in the stored procedure:

ie.

create proc VulnerableDynamicSQL(@userName nvarchar(25))
as
declare @sql nvarchar(255)
set @sql = 'select * from users where UserName = '''
+ @userName + ''''
exec sp_executesql @sql

See http://dotnetjunkies.com/WebLog/chri.../13/28370.aspx

Be warned

Richard Bisset
www.NetworkFreelance.co.uk - PR and Marketing Contracts
www.ProvidentHomeBuyers.co.uk - Quick House Purchases
www.CommercialLeaseBack.co.uk - Property Buyers

11-10-2008, 07:47 PM
#5
garydevenay is offline garydevenay
Status: I'm new around here
Join date: Nov 2008
Location:
Expertise:
Software:
 
Posts: 11
iTrader: 0 / 0%
 

garydevenay is on a distinguished road

  Old

as long as you use parameters (ie: id = @id) you should be safe

12-10-2008, 08:59 AM
#6
freelancerguy is offline freelancerguy
Status: Junior Member
Join date: Dec 2008
Location:
Expertise:
Software:
 
Posts: 63
iTrader: 1 / 100%
 

freelancerguy is on a distinguished road

Send a message via AIM to freelancerguy Send a message via MSN to freelancerguy Send a message via Yahoo to freelancerguy Send a message via Skype™ to freelancerguy

  Old

We couple of options to resolve SQL Injection issues. But as per myself Stored procedures are best method to restrict SQL Injection.

Closed Thread    


Thread Tools
Display Modes

  Posting Rules  
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump:
 
  Contains New Posts Forum Contains New Posts   Contains No New Posts Forum Contains No New Posts   A Closed Forum Forum is Closed