Can I avoid all SQL-injection attacks by using parameters?

No, you can't avoid all SQL injection attacks by using parameters. Dynamic SQL is the real issue, and this can occur in stored procedures as well as in your application code.

No, you can't avoid all SQL injection attacks by using parameters. Dynamic SQL is the real issue, and this can occur in stored procedures as well as in your application code. E.g.

, this is prone to a SQL injection attack: your parameterized query passes a username to a stored procedure, and within the stored procedure the parameter is concatenated to a SQL command and then executed. For an example of many kinds of SQL injection attacks, see this SQL Injection Cheat Sheet. You will see that simply escaping single quotes is just scratching the surface, and that there are many ways around that.

– M. H Sep 17 '10 at 15:50 @MH: replacing all ' with '' – Quandary Sep 17 '10 at 15:52 The solution is to never use dynamic SQL. If this is not possible, then you must go to extreme lengths to ensure that you properly escape any string that will be concatenated to a SQL statement, and also consider how the string is getting marshalled across domains (e.g. , HTML --> Javascript --> URL encoding -->), as there may be additional complications due to those transformations.

– RedFilter Sep 17 '10 at 15:56 @Quandary: that is not sufficient. There are cases, such as when you're concatenating an integer, where there won't be any quotes around it. It is a non-trivial problem, and thus that is why parameterized queries exist.

They solve 99% of the cases. – rmeador Sep 17 '10 at 16:03 1 you can use parameters with dynamic sql...so it really does always come back to using parameters. – dotjoe Sep 17 '10 at 16:16.

Yes and no. Yes, if all of your SQL statements are indeed static and use only parameters, then you're 100% protected from SQL injection attacks. The problem comes when the parameters themselves are used to construct dynamic SQL statements.An example would be a stored procedure that generates a SQL statement dynamically for querying a multitude of different options, where a single monolithic statement would be impractical.

While there are better solutions to this problem, this is a common one.

100%, that is, assuming MS or Novell didn't make any mistakes. – Quandary Sep 17 '10 at 15:54.

Yes you can avoid all SQL-injection attacks by using parameters, as long as you use parameters exclusively all the way down the call stack. For example: Your app code calls a stored procedure or dynamic SQL in the database. That must use parameters to pass all values.

The stored procedure or dynamic SQL internally constructs a call to another stored procedure or dynamic SQL statement. That must also use parameters to pass all values. Repeat ad-infinitum until you run out of code.

If you are programming in SQL Server, you can use sp_executesql to execute dynamic SQL, and it will let you define and pass parameterised values to the statement being executed.

1 I think people forget that you can use parameters with dynamic SQL. – dotjoe Sep 17 '10 at 16:24.

If you are going to build a dynamic sql query with those parameters (passed to a stored procedure, for example) then there's a chance of sql injection if precautions are not taken.

You can always minimize the risk of SQL injection by using prepared statements, provided your database engine supports them. Anyway, prepared statements is probably the most secure way of blocking SQL injections.

The problem is building the SQL statement dynamically. For example, you might want to order the result based on the column the user selected. In most databases, you can't use parameters here ("ORDER BY?" doesn't work).

So you have to "ORDER BY " + column. Now, if "column" is a String, then the user of your web-application could inject code there (which is not easy, but possible).

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.

Related Questions