Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
Go Back  Xtreme Visual Basic Talk > > > Is my application immune to SQL Injection attacks?


Reply
 
Thread Tools Display Modes
  #1  
Old 09-18-2008, 03:14 PM
Helmar Helmar is offline
Freshman
 
Join Date: Sep 2003
Posts: 35
Default Is my application immune to SQL Injection attacks?


I'm developing a VS2008 ASP.NET VB.NET application that uses a SQL Server Express database.

ALL database access is via parametrized stored procedures, where I pass the data for each field to the stored procedure as a parameter.

I don't build ANY SQL statements on the fly, not even ones that don't use any user data.

Is my application therefore immune from SQL Injection attacks?

If not, what else must I do?

HBH
Reply With Quote
  #2  
Old 09-18-2008, 07:15 PM
NEOLLE's Avatar
NEOLLEIs my application immune to SQL Injection attacks? NEOLLE is offline
fully realized avatar

Super Moderator
* Expert *
 
Join Date: Jun 2004
Location: Davao Philippines
Posts: 2,296
Default

Hello Helmar,

I think knowing the problem is half way solving it. If you understand how SQL injection works, then you would be halfway solving it.
Reply With Quote
  #3  
Old 09-18-2008, 07:29 PM
Helmar Helmar is offline
Freshman
 
Join Date: Sep 2003
Posts: 35
Default

Quote:
Originally Posted by NEOLLE View Post
... then you would be halfway solving it...
Thanks for your comments...

I do understand exactly how these attacks work, but in this case, I don't want to be halfway to solving it, I want to be 100% protected from (at least these) attacks.

It never fails to amaze me how these malicious people go through so much effort to write these negative creations, when for the same (or even less) effort, they could create positive and profitable applications.

HBH
Reply With Quote
  #4  
Old 09-20-2008, 11:05 PM
HorrorGamer HorrorGamer is offline
Regular
 
Join Date: Aug 2008
Location: Surprise, AZ
Posts: 89
Default

Wow, that is a great article -- added to favorites.

Relying heavily on parameterized stored procedures is a great start. But what exists within the stored procedures? If you are still using dynamic sql via the EXEC command, then you may still be vulnerable.
__________________
Play Tank Games
Reply With Quote
  #5  
Old 09-21-2008, 06:21 AM
Helmar Helmar is offline
Freshman
 
Join Date: Sep 2003
Posts: 35
Default

I don't use the EXEC command.

ALL of my stored procedures are like this one:

ALTER PROCEDURE dbo.SaveCreditCardInformation

(
@CompanyID UniqueIdentifier,
@CreditCardNumber varchar(25),
@CreditCardExpirationDate varchar(25),
@CreditCardCode nvarchar(10)
)

AS


UPDATE Companies
SET CreditCardNumber = @CreditCardNumber, CreditCardExpirationDate = @CreditCardExpirationDate, CreditCardCode = @CreditCardCode
WHERE (CompanyID = @CompanyID)

Return @@ROWCOUNT
Reply With Quote
  #6  
Old 09-21-2008, 08:09 AM
tishri tishri is offline
Newcomer
 
Join Date: Aug 2006
Posts: 11
Default

then its completely safe from sql injection. parameter are treated as parameter in a standard sql query unlike in a dynamic sql query parameter is treated as part of the query.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump

Advertisement:





Free Publications
The ASP.NET 2.0 Anthology
101 Essential Tips, Tricks & Hacks - Free 156 Page Preview. Learn the most practical features and best approaches for ASP.NET.
subscribe
Programmers Heaven C# School Book -Free 338 Page eBook
The Programmers Heaven C# School book covers the .NET framework and the C# language.
subscribe
Build Your Own ASP.NET 3.5 Web Site Using C# & VB, 3rd Edition - Free 219 Page Preview!
This comprehensive step-by-step guide will help get your database-driven ASP.NET web site up and running in no time..
subscribe
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks? Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
 
Is my application immune to SQL Injection attacks?
Is my application immune to SQL Injection attacks?
 
-->