tags:

views:

67

answers:

1
+1  Q: 

Are SQL Server 2008 Table Valued Parameters vulnerable to SQL injection attacks?

I have been investigating Table-Valued Parameters in SQL Server 2008, and I've discovered that when passing such a parameter to a stored procedure, a query such as the following is sent to the database server:

declare @p1 dbo.MyTypeName
insert into @p1 values(N'row1col1',N'row1col2')
insert into @p1 values(N'row2col1',N'row2col2')
insert into @p1 values(N'row3col1',N'row3col2')
insert into @p1 values(N'row4col1',N'row4col2')
insert into @p1 values(N'row5col1',N'row5col2')

exec StoredProcedureName @MyParam=@p1

My question is, how secure against SQL injection attacks is this, given that the insert statements are not parameterized? I tried the most trivial attack against it, and the quotes were properly escaped, but has anyone run an exhaustive test, or is there something else going on here that would protect me?

+1  A: 

You don't need to worry about SQL Injection attacks with TVPs.

This seems like a bunch of singleton calls but it's not. As my colleage Keith Elmore at Microsoft CSS pointed out, that is just the convention used to allow the data to be displayed or copied/pasted into a query window and run. The TVP isn’t actually implemented in that way—the rows are streamed across just like a bulk insert—but it may have led to this impression that it does simple inserts.

Source: http://blogs.msdn.com/mikecha/archive/2009/08/07/two-fast-ways-to-bulk-insert-client-generated-data-to-sql-database.aspx

Randolph Potter  2009-09-14 18:13:35
Perfect, thanks. I looked and looked, but I couldn't find anything.
Mark  2009-09-14 19:39:43

related questions

Is LINQ to SQL InsertOnSubmit() subject to SQL Injection Attack?
How Can I test my web site for SQL injection attacks?
Storing parts of user data in files for preventing SQL injection
HTTP input filter like mod_security for WebSphere?
Does LINQ's ExecuteCommand provide protection from SQL injection attacks?
Dynamic SQL - Search Query - Variable Number of Keywords
Classic ASP SQL Injection Protection
Comprehensive server-side validation
Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?
Are PDO prepared statements sufficient to prevent SQL injection?
What's the best method for sanitizing user input with PHP?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
Parameterized SQL Columns?
Handling the data in an IN clause, with SQL parameters?
What should you do when coming across a publicly accessible security vulnerability?
binding variables to parameters in ADOdb for PHP
Penetration testing tools
Is there some way to inject SQL even if the ' character is deleted?
How do I programatically sanitise coldfusion cfquery parameters.
Best way to stop SQL Injection in PHP
Inform potential clients about security vulnerabilities?
When is it Best to Sanitize User Input?
What is the best way to avoid SQL injection attacks?
Catching SQL Injection and other Malicious Web Requests