Click here to Skip to main content
15,867,453 members
Please Sign up or sign in to vote.
5.00/5 (1 vote)
See more:
Hi I'm a QA on my department and I wan't to try if it's possible to have SQL Injection when calling a stored procedure ?

With this it will be a big help not only for me benefits but to my company.

Usually in our department when calling a stored Procedure they used this code

VB
Dim Sql = "CALL usersaccount ('" & Username.Text &"','" & Password.Text &"');"


I've observe that they are not using Parameters.
Posted
Updated 1-Sep-13 0:25am
v2

1 solution

The code above is as you stated wide open to very simple attacks,
Your thinking is extremely important, they have to protect against SQL Injection!

See How To: Protect From SQL Injection in ASP.NET[^]

See further info about Stored Procedures and the things to notice regarding SQL Injection:
- [CopeProject Tip] How to prevent SQL Injection in Stored Procedures[^]
- Do Stored Procedures Protect Against SQL Injection?[^]
- Are stored procedures safe against SQL injection?[^]

Cheers,
Edo
 
Share this answer
 
v5
Comments
iMaker.ph 1-Sep-13 20:31pm    
so if your an attacker how do you SQL Inject the useraccount sp
I have a simple login form with a Stored Procedure "useraccount", how can you logon without using a password with username of "Herbert".

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900