Can a stored procedure like this be SQL injected? ASP VBScript

Can anyone tell me if my stored procedure can be hit by SQL injection.  Here is one example:

On the database:
ALTER PROCEDURE [dbo].[usp_ValidateLogin]
      -- Add the parameters for the stored procedure here
      @shipper nvarchar(10),
      @password nvarchar(800),
      @email nvarchar(800) OUTPUT
AS
BEGIN
      
      DECLARE @isFirstLogin Int  --Return Value
      SET @isFirstLogin = -1
      
      -- SET NOCOUNT ON added to prevent extra result sets from
      -- interfering with SELECT statements.
      SET NOCOUNT ON;

    SELECT
            @isFirstLogin = isFirstLogin,
            @email = email
      FROM tbl_Registered_Users
      WHERE shipper = @shipper AND Password = @password
      
      RETURN @isFirstLogin

END


And here's how its being called via ASP.
      set cmdLogin = Server.CreateObject("ADODB.Command")
      With cmdLogin
            .ActiveConnection = dbConnLogin
            .CommandText = "usp_ValidateLogin"
            .CommandType = adCmdStoredProc
            .Parameters.Append .CreateParameter("RETURN_VALUE", adInteger, adParamReturnValue)
            .Parameters.Append .CreateParameter("@shipper", adVarWChar, adParamInput,10, shipperID)
            .Parameters.Append .CreateParameter("@password", adVarWChar, adParamInput,800, password)
            .Parameters.Append .CreateParameter("email", adVarWChar, adParamOutput,800)
            .Execute ,, adExecuteNoRecords
            
            'extract the return value
            isFirstLogin = .Parameters ("RETURN_VALUE")            
            eEmail = .Parameters.Item ("email")      
      End With
sarniscoolAsked:
Who is Participating?
 
Daniel WilsonConnect With a Mentor Commented:
>>so I assume this is ok then?  


Yes.  Looks good.  You get into trouble when you dynmically build your SQL statement ... e.g. "select * from Mytable where ID = " & Request("ID")
0
 
60MXGCommented:
Read these articles.  

http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx

You can try to open the page up in internet explorer and then use right mouse click and select "view source".  If you can see your password in the notepad then it is likely someone can hack it.  As long as you lock down SQL Injection and patch your SQL server you are safe.  
0
 
sarniscoolAuthor Commented:
I've been reading on SQL injection and they say if I pass via parameters I would be safe.  I'm assuming that the above code is passing thigs via Parameters (the code even says parameters in it) so I assume this is ok then?  
0
 
sarniscoolAuthor Commented:
Thanks
0
All Courses

From novice to tech pro — start learning today.