You should review stored procedures that use dynamic sql for security vulnerabilities.
Here is a Sql statement that can be used to list all stored procedures that use some form of the Exec command. These should be reviewed to determine if any security vulnerabilities exist.
SELECT object_Name(id) FROM syscomments WHERE UPPER(text) LIKE '%EXECUTE (%' OR UPPER(text) LIKE '%EXECUTE (%' OR UPPER(text) LIKE '%EXECUTE (%' OR UPPER(text) LIKE '%EXECUTE (%' OR UPPER(text) LIKE '%EXEC (%' OR UPPER(text) LIKE '%EXEC (%' OR UPPER(text) LIKE '%EXEC (%' OR UPPER(text) LIKE '%EXEC (%' OR UPPER(text) LIKE '%SP_EXECUTESQL%'
And here is some good information about Sql Injection that a friend pointed out to me:
http://www.sommarskog.se/dynamic_sql.html#SQL_injection
No comments:
Post a Comment
Remember, if you want me to respond to your comment, then you need to use a Google/OpenID account to leave the comment.