Are Parameters really enough to prevent Sql injections?

Posted by Rune Grimstad on Stack Overflow See other posts from Stack Overflow or by Rune Grimstad
Published on 2008-11-20T20:06:43Z Indexed on 2010/04/23 17:23 UTC
Read the original article Hit count: 357

Filed under:
|
|
|

I've been preaching both to my colleagues and here on SO about the goodness of using parameters in SQL queries, especially in .NET applications. I've even gone so far as to promise them as giving immunity against SQL injection attacks.

But I'm starting to wonder if this really is true. Are there any known SQL injection attacks that will be successfull against a parameterized query? Can you for example send a string that causes a buffer overflow on the server?

There are of course other considerations to make to ensure that a web application is safe (like sanitizing user input and all that stuff) but now I am thinking of SQL injections. I'm especially interested in attacks against MsSQL 2005 and 2008 since they are my primary databases, but all databases are interesting.

Edit: To clarify what I mean by parameters and parameterized queries. By using parameters I mean using "variables" instead of building the sql query in a string.
So instead of doing this:

SELECT * FROM Table WHERE Name = 'a name'

We do this:

SELECT * FROM Table WHERE Name = @Name

and then set the value of the @Name parameter on the query / command object.

© Stack Overflow or respective owner

Related posts about sql

Related posts about sql-injection