Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 070918.html (Request Expert securityfocus.com Support)

RE: SQL Injection, Stored Procedures and parameterized Queries - How they work?

From: David Nester <david(at)icrew.org>
Date: Thu Jul 17 2003 - 12:45:33 EDT


Rohit,

Good morning!

I don't remember this paper discussing remediation tactics, however, it does offer a nice description of SQL injection.

        http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf

Hope this helps!

David

-----Original Message-----
From: S. Rohit [mailto:s.rohit@usa.net]
Sent: Thursday, July 17, 2003 9:32 AM
To: webappsec@securityfocus.com
Subject: SQL Injection, Stored Procedures and parameterized Queries - How they work?

hi....

Do you need help?X

    I'm looking for an in-depth detailed explanation on how does the proper use of stored procedures or parameterized queries ensure that SQL Inejction attacks can eb deterred? I know that wen we use stored procedures or parameterized queries the actual queries minus the user input are pre-parsed and compiled by the database, and therefore the user input is used purely as query values and even if they contain any sql commands they will not execute because the SQL database engine will not reparse the queries. Is that the correct technical explanation or is there more to it?

    Also if this is the correct explanation, then is it possible for a rouge user to cos the whole parameterized query to eb recompiled before execution or not? wat will the user have to do to ensure the recompilation? thx in advance for any insights into this.

rohit Received on Thu Jul 17 15:38:18 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:53 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library