• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
Bartenders:
  • Piet Souris
  • Himai Minh

SQL injection prevention

 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I am referring OWASP for SQL injection prevention and have two queries,

(1) Whats is "embedded parameters" related to parameterized stored procedures? - I couldn't find any difference between parameters and embedded parameters.

(2) Which one is better -
(a) Parametrized stored procedures with the principle of least privilege //Clubbing additional defense & high priority defense
(b) Parameterized stored procedures with the embedded parameters

- I think option (a) depends on the policy where you use stored procedures everywhere, so unless specified option (b) is more correct.

OWASP - https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Least_Privilege

TIA
Rahul

 
author & internet detective
Posts: 41093
848
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't see the word embedded parameters on that page. Do you have a link/quote that references them? (I'm not sure what the term refers to. It might be concatenating parameters with SQL which is bad. But I'm not sure that is what you mean.)
 
Rahul Shar
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jeanne,

Yes, "embedded parameters" is not on OWASP page but was actually referred some other article related to SQL injection.

I think it is related to ORACLE Execute_Immediate or procedure where dynamic query or proc is generated.

Thanks
Rahul
 
Rancher
Posts: 43027
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The premise of your question seems to be to use stored procedures. While stored procs can add additional security, that is not directly related to SQL injection. Using prepared statements (in raw SQL queries) already takes care of that without the use of stored procs (which do have drawbacks as well as benefits).
 
Rahul Shar
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think embedded parameter is related to the example given in Owasp site -

https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet#Stored_Procedure_Examples
 
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think I have found the answer for this, please "Find" the keyword "embedded parameter" from the pages below:


http://anubhavg.wordpress.com/2008/02/01/are-stored-procedures-safe-against-sql-injection/

http://palizine.plynt.com/issues/2006Jun/injection-stored-procedures/
 
Pablo Pastore
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
(b) should be true then.
 
Author
Posts: 53
7
MySQL Database Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The solution to stop SQL Injection is to use PARAMETERIZED QUERIES. Also consider very good input validation, but Parameterized Queries is the most important technique. You need to do parameterization:
1) For SQL creation
2) When calling a stored procedure
3) Inside the stored procedure itself

Here are a few resources:

https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
https://www.youtube.com/watch?v=pypTYPaU7mM

Aloha,
Jim
 
Ranch Hand
Posts: 132
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
From my perspective, also after checking the (OWSAP) links, 2a is the better solution than 2b.

What do you think?
 
Note to self: don't get into a fist fight with a cactus. Command this tiny ad to do it:
Free, earth friendly heat - from the CodeRanch trailboss
https://www.kickstarter.com/projects/paulwheaton/free-heat
reply
    Bookmark Topic Watch Topic
  • New Topic