Call now: (800) 766-1884  



 Home


 SQL Server Tips
 SQL Server Training

 SQL Server Consulting
 SQL Server Support
 SQL Server Remote DBA



 Articles
 Services
 SQL Server Scripts
 Scripts Menu



 

 

 

   
  SQL Server Tips by Gama and Naughter


SQL injection in dynamic SQL

 

SQL injection is not exclusive to web applications, any application is vulnerable if SQL code is put together with user input as part of it and no security measures. An SP that uses dynamic SQL might be subject to this kind of attack as well.

 

The SP validate_user will authenticate the users by retrieving the user name from the user table, filtered by login name and password. If the user name is NULL it means that the input log name and password have no match in the database. Therefore, the user would not be authenticated.

 

CREATE PROCEDURE validate_user @logname varchar(50), @password varchar(20)

AS

set nocount on

DECLARE @SQL NVARCHAR(4000), @name varchar(50)

SET @SQL='select @uname=username from Table_users WHERE logname='''+@logname+''' AND userpassword='''+@password+''''

PRINT @SQL

EXECUTE sp_executesql @SQL, N'@uname varchar(50) out', @name out

IF NOT (@name IS NULL)

      SELECT 'Welcome '+@name+'!'

ELSE

      SELECT 'User not authenticated!'

 

The SP will also print the SQL statement that will run within, so that it will be easier to understand how the query is modified.

 

This is a call with the correct log name and password:

 

EXEC validate_user 'mike',  'a1234'

 

All the techniques already examined are still possible, the only difference is that some single quotes will have to be doubled:

 

EXEC validate_user ''' OR 1=1--',  ''

EXEC validate_user ''' OR ''''=''',  ''' OR ''''='''

Etc…


 


The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter

 http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm
 

 

Burleson Consulting Remote DB Administration


 

 


 

 

 

 

 
Burleson is the America's Team

Note: The pages on this site were created as a support and training reference for use by our staff of DBA consultants.  If you find it confusing, please exit this page.

Errata?  SQL Server technology is changing and we strive to update our SQL Server support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:and include the URL for the page.
 


Burleson Consulting
SQL Server database support

 

Copyright © 1996 -  2013 by Vaaltech Web Services. All rights reserved.

Hit Counter