Click here to Skip to main content
15,665,942 members
Please Sign up or sign in to vote.
5.00/5 (1 vote)
See more:
Hi I'm a QA on my department and I wan't to try if it's possible to have SQL Injection when calling a stored procedure ?

With this it will be a big help not only for me benefits but to my company.

Usually in our department when calling a stored Procedure they used this code

Dim Sql = "CALL usersaccount ('" & Username.Text &"','" & Password.Text &"');"

I've observe that they are not using Parameters.
Updated 1-Sep-13 0:25am

1 solution

The code above is as you stated wide open to very simple attacks,
Your thinking is extremely important, they have to protect against SQL Injection!

See How To: Protect From SQL Injection in ASP.NET[^]

See further info about Stored Procedures and the things to notice regarding SQL Injection:
- [CopeProject Tip] How to prevent SQL Injection in Stored Procedures[^]
- Do Stored Procedures Protect Against SQL Injection?[^]
- Are stored procedures safe against SQL injection?[^]

Share this answer
Comments 1-Sep-13 20:31pm    
so if your an attacker how do you SQL Inject the useraccount sp
I have a simple login form with a Stored Procedure "useraccount", how can you logon without using a password with username of "Herbert".

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900