I've parameterized my queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent injection.
views:
248answers:
2
+4
A:
If you use parametrized queries, you're safe against SQL injection attacks.
But not for XSS attacks; some user could to insert HTML content (think about <script>, <object> tags) into your database and, at some page, another user get that potentially malicious code executed.
Rubens Farias
2010-01-21 22:03:43
+2
A:
Not all sql stored procs are injection safe
http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/
Aykut
2010-01-21 22:05:51
That article uses examples that rely on dynamically-generated SQL. Even though the SQL is generated server-side, this reintroduces the injection vulnerability issue. The lesson here is **avoid dynamic SQL in any context**.
David Lively
2010-01-21 22:15:08
Nice discussion of ExecuteSQL, which has to be handled in particular ways for security as well (have to make sure to sign particular procedures so that you don't use DBO as the runner of the procedure).
Caveatrob
2010-01-21 22:15:40