tags:

views:

263

answers:

5
Q: 

Are SQL stored procedures secure?

Are they less vulnerable to SQL injection than doing stuff like mysql_query("SELECT important_data FROM users WHERE password = $password")?

+2  A: 

They are more secure than what you are doing. Your query is posting raw SQL to the db which means that your parameters aren't treated as sql parameters but as plain old sql.

Here is what I mean.

With a stored prococedure the password variable can't be sql, it has to be a piece of information the system is looking for. In your example what is actually sent to the db is

SELECT * FROM User where password = ('your password here'--$Password variable).....so someone can do something like

SELECT * FROM user WHERE Password = ('your password here';SELECT * FROM User --$password variable).

or worse yet:

SELECT * FROM user WHERE Password = ('your password here';DROP Database Database_Name --$password variable).

A non-dynamic sql stored procedure won't allow this, because the input parameter won't execute as extra sql.

Parametrized SQL does take care of this, but technically stored procedures are still a little more secure, because the user accessing information in the table doesn't need Read Access. It only needs to be able to execute the stored procedure. Depending on your need this may or may not come into play.

Kevin  2009-06-21 14:50:53
A: 

There are no secure technologies. Technologies can only be used in safe or unsafe manners.

That said, stored procedures require slightly more creative coding to permit SQL injection -- which nevertheless happens. Nothing prevents you from concatenating strings in them, in any SQL database engine of which I'm aware.

Pontus Gagge  2009-06-21 14:52:24
+2  A: 

Not necessarily, you could be doing string concatenation inside of it and the exposure would be the same. If you use dynamic sql with parameter variables (no string concatenation to produce SQL) you'd be fairly well protected.

Otávio Décio  2009-06-21 14:52:52
+1 - also, parametrized queries' execution plans are cached, so they're quicker.
karim79  2009-06-21 15:04:49
@karim: stored procedure plans are cached as well - performance really isn't an issue anymore between SP and parametrized queries
marc_s  2009-06-21 18:46:55
A: 

if they are parameterized correctly and you are not doing dynamic sql then they are more secure and you will also benefit from execution plan reuse

SQLMenace  2009-06-21 14:55:12
+1  A: 

As long as you use parameters and don't use string concatenation for user-entered values, there will be no risk of SQL injection. Stored procedures are a bit "safer" in this aspect, because they encourage you to use parameters. But if in the procedure you do something like

EXECUTE 'SELECT important_data FROM users WHERE password = ' + @password

Then you'll be back to square 1 and very much vulnerable to SQL injections.

Also, there is such a thing as "prepared statements" which are not stored procedures, but can also use parameters. They can thus be used to avoid SQL injection as well.

Vilx-  2009-06-21 14:55:16

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP