Possible Duplicate:
Do stored procedures prevent SQL injection?
I'm curious about some database security techniques I've been learning in class recently. Namely, I have implemented a SQL Server 2008R2 with stored procedures that a connection user can execute... I continually get a server error processing url when attempting injection attacks and my DB tables remain untouched - I have read that a stored procedure is not a defense against injection - are more complex injections required to break it or are there reasons why simple drop table, list client, etc. injections are failing? examples:
a';DROP TABLE CreditCard; SELECT * FROM Client WHERE 't' = 't
x' AND 1=(SELECT COUNT(*) FROM CreditCard); --
results are essentially:
exec sp_GetUser 'x' AND 1=(SELECT COUNT(*) FROM Client); --' , 'monkey'
An error occurred on the server when processing the URL. Please contact the system administrator.
Here's the login stored procedure, incase that has some influence over why I'm getting the results I am.
USE [CIS413]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[sp_GetUser]
@UserName varchar(50), @Password varchar(20)
AS
BEGIN
SELECT userName from users where userName = @UserName and userPass = @Password
END
