Page 1 of 1

SQL Server Stored Procedures: Vulnerabilities?

PostPosted: Wed Jun 16, 2010 7:08 pm
by m1k3st4rr
I just started learning about server stored procedures, and I am curious to know what sort of injection attacks they are vulnerable to.

For instance, say I have a website:

http://www.myurl.com/param1.param2.param3.html

and the following code is executed on the server:
Code: Select all
exec sp_MyFunction param1, param2, param3


Are there any ways to force the function to execute abnormally? For example, could the function be run several times with more than one set of parameters or multiple entries for a given parameter?

MyFunction cleans input so SQL commands like union, *, etc. are not a problem.