Solved

Can a stored procedure like this be SQL injected? ASP VBScript

Posted on 2008-06-25
4
381 Views
Last Modified: 2010-04-21
Can anyone tell me if my stored procedure can be hit by SQL injection.  Here is one example:

On the database:
ALTER PROCEDURE [dbo].[usp_ValidateLogin]
      -- Add the parameters for the stored procedure here
      @shipper nvarchar(10),
      @password nvarchar(800),
      @email nvarchar(800) OUTPUT
AS
BEGIN
      
      DECLARE @isFirstLogin Int  --Return Value
      SET @isFirstLogin = -1
      
      -- SET NOCOUNT ON added to prevent extra result sets from
      -- interfering with SELECT statements.
      SET NOCOUNT ON;

    SELECT
            @isFirstLogin = isFirstLogin,
            @email = email
      FROM tbl_Registered_Users
      WHERE shipper = @shipper AND Password = @password
      
      RETURN @isFirstLogin

END


And here's how its being called via ASP.
      set cmdLogin = Server.CreateObject("ADODB.Command")
      With cmdLogin
            .ActiveConnection = dbConnLogin
            .CommandText = "usp_ValidateLogin"
            .CommandType = adCmdStoredProc
            .Parameters.Append .CreateParameter("RETURN_VALUE", adInteger, adParamReturnValue)
            .Parameters.Append .CreateParameter("@shipper", adVarWChar, adParamInput,10, shipperID)
            .Parameters.Append .CreateParameter("@password", adVarWChar, adParamInput,800, password)
            .Parameters.Append .CreateParameter("email", adVarWChar, adParamOutput,800)
            .Execute ,, adExecuteNoRecords
            
            'extract the return value
            isFirstLogin = .Parameters ("RETURN_VALUE")            
            eEmail = .Parameters.Item ("email")      
      End With
0
Comment
Question by:sarniscool
  • 2
4 Comments
 
LVL 7

Expert Comment

by:60MXG
ID: 21870245
Read these articles.  

http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx

You can try to open the page up in internet explorer and then use right mouse click and select "view source".  If you can see your password in the notepad then it is likely someone can hack it.  As long as you lock down SQL Injection and patch your SQL server you are safe.  
0
 

Author Comment

by:sarniscool
ID: 21874940
I've been reading on SQL injection and they say if I pass via parameters I would be safe.  I'm assuming that the above code is passing thigs via Parameters (the code even says parameters in it) so I assume this is ok then?  
0
 
LVL 32

Accepted Solution

by:
Daniel Wilson earned 50 total points
ID: 23099405
>>so I assume this is ok then?  


Yes.  Looks good.  You get into trouble when you dynmically build your SQL statement ... e.g. "select * from Mytable where ID = " & Request("ID")
0
 

Author Closing Comment

by:sarniscool
ID: 31470781
Thanks
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now