Solved

Can a stored procedure like this be SQL injected? ASP VBScript

Posted on 2008-06-25
4
380 Views
Last Modified: 2010-04-21
Can anyone tell me if my stored procedure can be hit by SQL injection.  Here is one example:

On the database:
ALTER PROCEDURE [dbo].[usp_ValidateLogin]
      -- Add the parameters for the stored procedure here
      @shipper nvarchar(10),
      @password nvarchar(800),
      @email nvarchar(800) OUTPUT
AS
BEGIN
      
      DECLARE @isFirstLogin Int  --Return Value
      SET @isFirstLogin = -1
      
      -- SET NOCOUNT ON added to prevent extra result sets from
      -- interfering with SELECT statements.
      SET NOCOUNT ON;

    SELECT
            @isFirstLogin = isFirstLogin,
            @email = email
      FROM tbl_Registered_Users
      WHERE shipper = @shipper AND Password = @password
      
      RETURN @isFirstLogin

END


And here's how its being called via ASP.
      set cmdLogin = Server.CreateObject("ADODB.Command")
      With cmdLogin
            .ActiveConnection = dbConnLogin
            .CommandText = "usp_ValidateLogin"
            .CommandType = adCmdStoredProc
            .Parameters.Append .CreateParameter("RETURN_VALUE", adInteger, adParamReturnValue)
            .Parameters.Append .CreateParameter("@shipper", adVarWChar, adParamInput,10, shipperID)
            .Parameters.Append .CreateParameter("@password", adVarWChar, adParamInput,800, password)
            .Parameters.Append .CreateParameter("email", adVarWChar, adParamOutput,800)
            .Execute ,, adExecuteNoRecords
            
            'extract the return value
            isFirstLogin = .Parameters ("RETURN_VALUE")            
            eEmail = .Parameters.Item ("email")      
      End With
0
Comment
Question by:sarniscool
  • 2
4 Comments
 
LVL 7

Expert Comment

by:60MXG
Comment Utility
Read these articles.  

http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx

You can try to open the page up in internet explorer and then use right mouse click and select "view source".  If you can see your password in the notepad then it is likely someone can hack it.  As long as you lock down SQL Injection and patch your SQL server you are safe.  
0
 

Author Comment

by:sarniscool
Comment Utility
I've been reading on SQL injection and they say if I pass via parameters I would be safe.  I'm assuming that the above code is passing thigs via Parameters (the code even says parameters in it) so I assume this is ok then?  
0
 
LVL 32

Accepted Solution

by:
Daniel Wilson earned 50 total points
Comment Utility
>>so I assume this is ok then?  


Yes.  Looks good.  You get into trouble when you dynmically build your SQL statement ... e.g. "select * from Mytable where ID = " & Request("ID")
0
 

Author Closing Comment

by:sarniscool
Comment Utility
Thanks
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Introduction In my previous article (http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/SSIS/A_9150-Loading-XML-Using-SSIS.html) I showed you how the XML Source component can be used to load XML files into a SQL Server database, us…
Everyone has problem when going to load data into Data warehouse (EDW). They all need to confirm that data quality is good but they don't no how to proceed. Microsoft has provided new task within SSIS 2008 called "Data Profiler Task". It solve th…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now