Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

Using a PreparedStatement to call a stored proc will not protect against string building going on inside the stored proc. Note that a stored proc that does so would go against best practices for stored procedures in general, let alone security. Stored procedures work like PreparedStatements... they're pre-compiled. So normal code in a stored procedures, using input that was passed into it through a parameter, would not be susceptible to SQL injection. However, if you do something like this inside your stored proc, you're still screwing yourself:

@sqlString = "SELECT col FROM tab WHERE value = '" + @clientSupplied + "';" EXEC @sqlString;

String building SQL statements inside stored procs isn't terribly common, but it's out there. The correct way to do that would be a) another stored proc or b) a prepared statement.

And of course, the standard disclaimers... Someone's database server may implement stored procs in a strange way that goes against standards, validate your input, blah blah blah.

Kevin Spett
SPI Labs
http://www.spidynamics.com/

• Original Message ----- From: "Dave Aitel" <dave@immunitysec.com> To: <secprog@securityfocus.com>; <webappsec@securityfocus.com> Sent: Friday, January 03, 2003 11:16 AM Subject: Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

> Hmm, can prepared statements call stored procedures which then do their
Received on Fri Jan 3 12:27:44 2003