Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Paper: SQL Injection Attacks by Example
From: David Litchfield (davidlngssoftware.com)
Date: Wed Jan 05 2005 - 15:09:06 CST
>Actually, to nitpick your comment a bit, stored procedures usually have
typed input variables:
>create procedure foo ( a int, b varchar(20) ) as ...
This has no bearing on the issue.
If from the code of the app I perform something like
strSQL = "exec foo(" & request.querystring("a") & "," &
request.querystring("b") & ")"
then I can either set a in the query string to
Or alternatively I can set b in the query string to
Either way I'm using a stored procedure and I can inject into the app.