Tuesday, April 19, 2016

SQL Injection - Stored Procedures

Security needs to be multiple levels deep. At one point in time several years ago there was a trend to have all websites code use stored procedures. I heard developers say it prevented SQL Injection.

If the database you use allows you to build SQL statements with a string dynamically at run time in a stored procedure then you can have SQL injection in a Stored Procedure.  

Each Database slightly different syntax and guidelines:

    In short: If your doing dynamic SQL inside your Stored Procedures you will have validate the input otherwise you can be impacted.

    No comments:

    Post a Comment