Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

Can a stored procedure like this be SQL injected? ASP VBScript

Can anyone tell me if my stored procedure can be hit by SQL injection.  Here is one example:

On the database:
ALTER PROCEDURE [dbo].[usp_ValidateLogin]
      -- Add the parameters for the stored procedure here
      @shipper nvarchar(10),
      @password nvarchar(800),
      @email nvarchar(800) OUTPUT
AS
BEGIN
      
      DECLARE @isFirstLogin Int  --Return Value
      SET @isFirstLogin = -1
      
      -- SET NOCOUNT ON added to prevent extra result sets from
      -- interfering with SELECT statements.
      SET NOCOUNT ON;

    SELECT
            @isFirstLogin = isFirstLogin,
            @email = email
      FROM tbl_Registered_Users
      WHERE shipper = @shipper AND Password = @password
      
      RETURN @isFirstLogin

END


And here's how its being called via ASP.
      set cmdLogin = Server.CreateObject("ADODB.Command")
      With cmdLogin
            .ActiveConnection = dbConnLogin
            .CommandText = "usp_ValidateLogin"
            .CommandType = adCmdStoredProc
            .Parameters.Append .CreateParameter("RETURN_VALUE", adInteger, adParamReturnValue)
            .Parameters.Append .CreateParameter("@shipper", adVarWChar, adParamInput,10, shipperID)
            .Parameters.Append .CreateParameter("@password", adVarWChar, adParamInput,800, password)
            .Parameters.Append .CreateParameter("email", adVarWChar, adParamOutput,800)
            .Execute ,, adExecuteNoRecords
            
            'extract the return value
            isFirstLogin = .Parameters ("RETURN_VALUE")            
            eEmail = .Parameters.Item ("email")      
      End With
0
sarniscool
Asked:
sarniscool
  • 2
1 Solution
 
60MXGCommented:
Read these articles.  

http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx

You can try to open the page up in internet explorer and then use right mouse click and select "view source".  If you can see your password in the notepad then it is likely someone can hack it.  As long as you lock down SQL Injection and patch your SQL server you are safe.  
0
 
sarniscoolAuthor Commented:
I've been reading on SQL injection and they say if I pass via parameters I would be safe.  I'm assuming that the above code is passing thigs via Parameters (the code even says parameters in it) so I assume this is ok then?  
0
 
Daniel WilsonCommented:
>>so I assume this is ok then?  


Yes.  Looks good.  You get into trouble when you dynmically build your SQL statement ... e.g. "select * from Mytable where ID = " & Request("ID")
0
 
sarniscoolAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now