Solved

Can a stored procedure like this be SQL injected? ASP VBScript

Posted on 2008-06-25
4
385 Views
Last Modified: 2010-04-21
Can anyone tell me if my stored procedure can be hit by SQL injection.  Here is one example:

On the database:
ALTER PROCEDURE [dbo].[usp_ValidateLogin]
      -- Add the parameters for the stored procedure here
      @shipper nvarchar(10),
      @password nvarchar(800),
      @email nvarchar(800) OUTPUT
AS
BEGIN
      
      DECLARE @isFirstLogin Int  --Return Value
      SET @isFirstLogin = -1
      
      -- SET NOCOUNT ON added to prevent extra result sets from
      -- interfering with SELECT statements.
      SET NOCOUNT ON;

    SELECT
            @isFirstLogin = isFirstLogin,
            @email = email
      FROM tbl_Registered_Users
      WHERE shipper = @shipper AND Password = @password
      
      RETURN @isFirstLogin

END


And here's how its being called via ASP.
      set cmdLogin = Server.CreateObject("ADODB.Command")
      With cmdLogin
            .ActiveConnection = dbConnLogin
            .CommandText = "usp_ValidateLogin"
            .CommandType = adCmdStoredProc
            .Parameters.Append .CreateParameter("RETURN_VALUE", adInteger, adParamReturnValue)
            .Parameters.Append .CreateParameter("@shipper", adVarWChar, adParamInput,10, shipperID)
            .Parameters.Append .CreateParameter("@password", adVarWChar, adParamInput,800, password)
            .Parameters.Append .CreateParameter("email", adVarWChar, adParamOutput,800)
            .Execute ,, adExecuteNoRecords
            
            'extract the return value
            isFirstLogin = .Parameters ("RETURN_VALUE")            
            eEmail = .Parameters.Item ("email")      
      End With
0
Comment
Question by:sarniscool
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Expert Comment

by:60MXG
ID: 21870245
Read these articles.  

http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx

You can try to open the page up in internet explorer and then use right mouse click and select "view source".  If you can see your password in the notepad then it is likely someone can hack it.  As long as you lock down SQL Injection and patch your SQL server you are safe.  
0
 

Author Comment

by:sarniscool
ID: 21874940
I've been reading on SQL injection and they say if I pass via parameters I would be safe.  I'm assuming that the above code is passing thigs via Parameters (the code even says parameters in it) so I assume this is ok then?  
0
 
LVL 32

Accepted Solution

by:
Daniel Wilson earned 50 total points
ID: 23099405
>>so I assume this is ok then?  


Yes.  Looks good.  You get into trouble when you dynmically build your SQL statement ... e.g. "select * from Mytable where ID = " & Request("ID")
0
 

Author Closing Comment

by:sarniscool
ID: 31470781
Thanks
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you see single cell contains number and text, and you have to get any date out of it seems like cracking our heads.
A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question