News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Brian Swan's Blog:
Do Stored Procedures Protect Against SQL Injection?
February 17, 2011 @ 11:46:14

Brian Swan has a new post answering a question he's gotten about the stored procedures that the SQL Server database includes and whether or not they help prevent SQL injections in your applications.

When I've asked people about their strategies for preventing SQL injection, one response is sometimes "I use stored procedures." But, stored procedures do not, by themselves, necessarily protect against SQL injection. The usefulness of a stored procedure as a protective measure has everything to do with how the stored procedure is written. Write a stored procedure one way, and you can prevent SQL Injection. Write it another way, and you are still vulnerable.

The short answer is "not always" but he gets into a more detailed answer with a sample login script and the SQL to create the stored procedure the "wrong way" (using the value dynamically in the SQL of the procedure) and the "right way" (assigning them directly like bound variables).

0 comments voice your opinion now!
stored procedures sql injection security


blog comments powered by Disqus

Similar Posts

Ilia Alshanetsky\'s Blog: php|tek Slides Posted

ReadyToBeServed.com: Web Host May Ask Client To Cover Cost Of Hack

SecurityFocus.com: PHP Security From The Inside (Interview with Stefan Esser)

PHP-Code.net: Securing PHP Apps Part III Securing PHP on the server/Securing MySQL & Apache

Zend: Webinar - PHP Security Basics (Nov 28th @ 9am PST)


Community Events





Don't see your event here?
Let us know!


podcast framework community introduction unittest experience install language testing opinion list interview developer laravel refactor code threedevsandamaybe release series symfony2

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework