View Full Version : ایا store procedure ها میتونند جلوی sql inject رو بگیرن ؟ نظر شما چیه؟

یک شنبه 13 مرداد 1392, 11:24 صبح
It isn't true to say that SQL injection in stored procedures has no effect in SQL Server, however—if an attacker can inject SQL into a stored procedure, he can directly modify the system catalog—but only if he already had permissions that would enable him to do so. The additional risk posed by this is slight, since the attacker would already have to be an administrator in order to take advantage of any SQL injection flaw in this way—and if he is a database administrator, there are many other, far more serious things he can do to the system.

این پاراگراف برگرفته از کتاب The Database Ha*cke*r's است

پنج شنبه 31 مرداد 1392, 14:15 عصر
تا حدودی می تونن

اما این رو بدون

No System Is Safe

دوشنبه 04 شهریور 1392, 20:49 عصر
شاید یه خورده دیر دارم جواب میدم اما آره میتونن
به شرطی که مستقیم از دستور exec استفاده نکنی و اگر میخوای select بگیری یا insert کنی به شکل زیر عمل کنی

select * from tbl1 where id=@myid