Just using stored procedures doesn't prevent SQL Injection; use parameterized stored procedures
This answer in dba.stackexchange.com puts in nicely -
The OWASP wiki has a more detailed explanation
The Stack Exchange family of websites lets you sort & view top voted questions in a specific area of interest identified through tags. They provide a RSS feed that you can keep following through a RSS Feed Reader like Google Reader, to stay abreast of hot questions in your favorite programming area.
The RSS feed for the top voted questions with the sql-injection tag on dba.stackexchange.com looks like this - http://dba.stackexchange.com/feeds/tag?tagnames=sql-injection&sort=votes
Whether you use SQL statements or stored procedure doesn't matter. What matters is whether your SQL uses parameters or concatenated strings. Parameters prevent SQL injection; concatenated strings allow SQL injection.
The OWASP wiki has a more detailed explanation
The Stack Exchange family of websites lets you sort & view top voted questions in a specific area of interest identified through tags. They provide a RSS feed that you can keep following through a RSS Feed Reader like Google Reader, to stay abreast of hot questions in your favorite programming area.
The RSS feed for the top voted questions with the sql-injection tag on dba.stackexchange.com looks like this - http://dba.stackexchange.com/feeds/tag?tagnames=sql-injection&sort=votes
Comments
Post a Comment