Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Knowledge shared ]

From: Chip Andrews <chipandrews () usa net>
Date: 31 Jan 2002 12:49:20 EST
Quite right.  The statement "SQL Injection does not work with stored
procedures" is inherently false because it fails to recognize that the problem
lies is _how_ the procedure was invoked.  If you fail to perform proper input
validation and use string building techniques like:

conn.execute("exec usp_myproc " & myvar) 

then you're not safer than you were when you were using regular SQL
statements.

The best way to invoke the procedure is through the ADO command and parameter
objects.  This will allow ADO to construct the database request and will
automatically convert single quotes to double thus neutralizing the injection.
 Non-numeric in numeric parameter injection will fail due to strong data
typing.

Chip

"Brett Moore" <brett () softwarecreations co nz> wrote:

Ok so I have some thoughts. No official format.

1) SQL INJECTION

"SQL injection does not work with stored procedures"...Shakes pear 1654

example:

X = WEB VARIABLE = INTEGER

X = 10
EXEC MY_STOREDPROCEDURE X = EXEC MY_STOREDPROCEDURE 10
~
X = 10;EXEC MASTER..XP_CMDSHELL''
EXEC MY_STOREDPROCEDURE X = 10;EXEC MASTER..XP_CMDSHELL''




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: