I've parameterized my queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent injection.
-
1You can always try to inject your own SQL injections to see how it behaves.luiscubal– luiscubal2010-01-21 22:04:25 +00:00Commented Jan 21, 2010 at 22:04
Add a comment
|
2 Answers
If you use parametrized queries, you're safe against SQL injection attacks.
But not for XSS attacks; some user could to insert HTML content (think about <script>, <object> tags) into your database and, at some page, another user get that potentially malicious code executed.
Comments
Not all sql stored procs are injection safe
http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/
2 Comments
3Dave
That article uses examples that rely on dynamically-generated SQL. Even though the SQL is generated server-side, this reintroduces the injection vulnerability issue. The lesson here is avoid dynamic SQL in any context.
Caveatrob
Nice discussion of ExecuteSQL, which has to be handled in particular ways for security as well (have to make sure to sign particular procedures so that you don't use DBO as the runner of the procedure).