saved parameter queries

saved parameter queries

am 23.05.2006 04:28:49 von Andrew Oke

Hi again,

just a quick question. i've done reading on sql injection attacks after
the issue was raised over my method of deleting records from my access
table. if i use saved parameter queries will this solve this problem or
are there additional steps i should take? links to reading are fine.
thanks for the help.

Re: saved parameter queries

am 23.05.2006 13:26:22 von reb01501

Andrew Oke wrote:
> Hi again,
>
> just a quick question. i've done reading on sql injection attacks
> after the issue was raised over my method of deleting records from my
> access table. if i use saved parameter queries will this solve this
> problem or are there additional steps i should take?

Absolutely. Direct Injection is not possible when using parameters, whether
using saved parameter queries or strings containing parameter markers.
http://groups-beta.google.com/group/microsoft.public.inetser ver.asp.db/msg/72e36562fee7804e

However, do not assume that a user is submitting data via the form you
created. Always validate user input in server-side code ... before you even
open a connection to your database. Make sure numeric data is numeric. Date
data contains dates. String data does not contain SQL keywords where
inappropriate for the data being entered. Reject anything that looks like a
sql injection attack. Don't just force it into your database. There is a
published exploit (Second-order SQL Injection) in which data containing
malicious sql is caused to be entered into a database table ... sql which is
subsequently executed by another dynamically created query, in which no
validation is performed because, hey the data is from the database, not the
user.

http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection. pdf


Here is some more info on using saved parameter queries:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&sel m=e6lLVvOcDHA.1204%40TK2MSFTNGP12.phx.gbl

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1& selm=eHYxOyvaDHA.4020%40tk2msftngp13.phx.gbl
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"