About string parameters to stored procedure

09-04-2006

Hi, I wrote a stored procedure to check user's name (vartype: chr) and
password (chr, too).
Do I have to check whether there is an apostrophe ("'") in the name
string and password string? I tried to put some "'"s in the name string
and didn't replace them with double "'", but it seemed you can not
cheat the stored procedure about it.
-----------------
My stored procedure (SQL server 2000):
CREATE PROCEDURE dbo.userLogin
(
@userName varchar(20),
@password varchar(20),
@userID int output
)
AS
select @userID=[id] from [user] where [name]=@userName and
[password]=@password
return @userID
-------------------

09-04-2006

If you use SqlParameter on the client for parameterized queries, you are
on the safe side with this sproc (and call it directly, not via some handcrafted
sp_execute or exec string)

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Hi, I wrote a stored procedure to check user's name (vartype: chr) and
> password (chr, too).
> Do I have to check whether there is an apostrophe ("'") in the name
> string and password string? I tried to put some "'"s in the name
> string
> and didn't replace them with double "'", but it seemed you can not
> cheat the stored procedure about it.
> -----------------
> My stored procedure (SQL server 2000):
> CREATE PROCEDURE dbo.userLogin
> (
> @userName varchar(20),
> @password varchar(20),
> @userID int output
> )
> AS
> select @userID=[id] from [user] where [name]=@userName and
> [password]=@password
> return @userID
> -------------------

09-04-2006

Hi, Dominick,

Thank you for your timely reply. But could you please tell me why
should we "call it directly, not via some handcrafted sp_execute or
exec string"? Anything wrong with calling sproc via sp_execute or exec
string?

09-04-2006

Hi,

well that means there is some string concatenation involved - which is again
prone to injection attacks..

Just use SqlCommand, CommandType.StoredProcedure and SqlParameter.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Hi, Dominick,
>
> Thank you for your timely reply. But could you please tell me why
> should we "call it directly, not via some handcrafted sp_execute or
> exec string"? Anything wrong with calling sproc via sp_execute or exec
> string?
>

09-04-2006

Thank you very much, Dominick. You're really GREAT.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
passing parameters to stored procedure from crystal reports	kavitha N via .NET 247	ASP .Net	1	02-15-2011 08:20 AM
'Procedure or function <stored procedure name> has too many arguments specified',,,ARGH!	Mike P	ASP .Net	0	06-19-2006 01:19 PM
Error while passing input parameters to stored procedure using DAA	=?Utf-8?B?TWlrZQ==?=	ASP .Net	0	06-22-2005 07:44 PM
Q: number of parameters in stored procedure	=?Utf-8?B?SklNLkgu?=	ASP .Net	2	01-12-2005 06:42 AM
How to use parameters(record selection) and stored procedure in CR.NET web-based application?	TaeHo Yoo	ASP .Net	0	08-13-2003 11:13 PM