Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2000 Forums
 SQL Server Administration (2000)
 Regarding the sql injection

Author  Topic 

vgr.raju
Yak Posting Veteran

95 Posts
Posted - 2005-08-24 : 22:00:02
I would like to know about sql injections in stored procedures?
I would appreciate quick response..
Thanks

Kristen
Test

22859 Posts
Posted - 2005-08-25 : 00:41:59
have you got a specific question? if not there is plenty of info on this site

http://www.google.co.uk/search?&q=site%3Asqlteam.com+sql+injection

Kristen
Go to Top of Page

vgr.raju
Yak Posting Veteran

95 Posts
Posted - 2005-08-26 : 02:39:42
Hi kristen,
Thank you for your reply.
I have been assigned some stored procedures to test against the sql injection.
In those stored procedures,we are passing the input parameters through the function.
That function takes care of the sql injection.
I would like to find some way to get away those functions and send sql queries to the stored procedures.

The following is the function we use against the sql injection.
for example we send the parameter as a string to the function and get the value from the function.
SELECT @String = REPLACE (@String, '''''', '''')
SELECT @String = REPLACE (@String, '''', '''''')
SELECT @String = REPLACE (@String, '--', '')
SELECT @String = REPLACE (@String, '[', '')
SELECT @String = REPLACE (@String, ']', '')
SELECT @String = REPLACE (@String, '%', '[%]')
SELECT @String = REPLACE (@String, '_', '[_]')

Is it possible to get away this function ,if so ,pls let me know.
Thanks.
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site