

Stored procedures and ORMs won't save you from SQL injection - troyhunt
http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html

======
benologist
He's using stored procedures to exec a block of sql he puts together. If you
do it that way it's no different to slapping a query together directly in your
code.

If you do it this way you avoid the string concatenation that enables sql
injection + you don't need any table permissions just execute permission on
the proc:

    
    
        ALTER PROCEDURE dbo.SearchWidgets 
          @SearchTerm VARCHAR(50)
        AS
        BEGIN
            DECLARE @filter VARCHAR(52)
            SELECT @filter = '%' + @SearchTerm + '%'
            SELECT Id, Name FROM dbo.Widget WHERE Name LIKE @filter
        END

------
the_gipsy
Use parameterized queries: [http://www.codinghorror.com/blog/2005/04/give-me-
parameteriz...](http://www.codinghorror.com/blog/2005/04/give-me-
parameterized-sql-or-give-me-death.html)

------
mylittlepony
This is link bait. Where is the stored procedure and ORM again? Of course you
will be vulnerable if you do the query concatenation yourself!

