By
using stored procedure we can easily avoid the sql injection. mostly sql
injection possible only on inline query because we used quotes to insert or
update command.
Following
Benefits using stored procedure:
- The user input is not enclosed inside the single quotes. It is rather being passed as parameter to the SQL statement.
- The function sp_executesql is being used to execute with the parameter list and the parameterized SQL statements.
Measures
to avoid SQL injection
- Validate all input coming from the user on the server.
- Avoid the use of dynamic SQL queries if there an alternate method is available.
- Use parameterized stored procedure with embedded parameters.
- Execute stored procedures using a safe interface such as Callable statements in JDBC or CommandObject in ADO.
- Use a low privileged account to run the database.
- Give proper roles and privileges to the stored procedure being used in the applications.
0 comments:
Post a Comment