|
rajiv13579
Starting Member
2 Posts |
 Posted - 2009-07-13 : 02:34:32
|
| Hi All,I am developing an .net based website which has stored procdeures to exceute the database queries.As per my understanding from various websites, stored procedures are also vulnerable to SQL injection attack.Can somebody please share some checklist having exact things to be done/kept in mind while writing and calling stored procedures to protect them from sql injection.e.g. in input validation we must check for "select, union, delete,update, OR, --, insert, %%,', Grant Control, Print,DROP,!,;,=,+,||,Concat,ASCII,admin,),Having,Group by, order by,NULL,Convert,sum,where,top,waitfor,*,count,<,>" should not be there.Also use of SQLCommand.commandtype = CommandType.StoredProcedure with parameter lowers the risk but does it totally removes the risk.I need these kind of exact checklist which can be passed to SQL development team.Cheers |
|
Mitigating SQL injection in Stored Procedure