Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
offspring22
Starting Member
38 Posts |
 Posted - 2012-04-16 : 15:41:32
|
| Hello,We have a simple stored procedure used to validate users. Our website sends the query "sp_login 'username','password'" and if valid returns a 1, if not, a 0.Here's the code for the SP: SELECT count(*) from dbo.MEMBERS where public_id LIKE @public and private_id LIKE @private or icni_public_id like @public and icni_private_id LIKE @privateAny holes you can see? |
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2012-04-16 : 15:44:43
|
| what validation you've put for these parameters? are you including this in stored procedure or executing this as an ad hoc query?------------------------------------------------------------------------------------------------------SQL Server MVPhttp://visakhm.blogspot.com/ |
 |
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2012-04-16 : 15:46:26
|
also the statement should be as below i guess...SELECT count(*)from dbo.MEMBERSwhere (public_id LIKE @publicand private_id LIKE @private)or(icni_public_id like @publicand icni_private_id LIKE @private) else that OR will cause all other conditions to be bypassed which is not what you're looking for i guess------------------------------------------------------------------------------------------------------SQL Server MVPhttp://visakhm.blogspot.com/ |
|
|
|
|
|
|
Would this be safe from SP injection?