Just using stored procedures doesn't prevent SQL Injection; use parameterized stored procedures

This answer in dba.stackexchange.com puts in nicely -
Whether you use SQL statements or stored procedure doesn't matter. What matters is whether your SQL uses parameters or concatenated strings. Parameters prevent SQL injection; concatenated strings allow SQL injection.

The OWASP wiki has a more detailed explanation

The Stack Exchange family of websites lets you sort & view top voted questions in a specific area of interest identified through tags. They provide a RSS feed that you can keep following through a RSS Feed Reader like Google Reader, to stay abreast of hot questions in your favorite programming area.

The RSS feed for the top voted questions with the sql-injection tag on dba.stackexchange.com looks like this - http://dba.stackexchange.com/feeds/tag?tagnames=sql-injection&sort=votes

Comments

Popular posts from this blog

Maven Crash Course - Learn Power Query, Power Pivot & DAX in 15 Minutes

"Data Prep & Exploratory Data Analysis" course by Maven Analytics

Oracle Cloud Infrastructure 2024 Generative AI Professional Course & Certification Exam (1Z0-1127-24)