"DazedAndConfused" <AceMago***@yahoo.com> wrote in message
news:O188vJFwFHA.2072@TK2MSFTNGP14.phx.gbl...
> For all access to the database I am forcing the ASP .NET account to use
> procs and views and allowing no direct access to tables, will that protect
> the database from access via IIS?
>
> Is that the common approach?
>

"JT" <some***@microsoft.com> wrote in message
news:eh4OSXFwFHA.2348@TK2MSFTNGP15.phx.gbl...
> If any of your stored procedures accept parameters supplied by the web
> page and then use those parameters are used to build dynamic SQL, then
> there is still the possibility of SQL Injection attacks.
>
> For example, if your web page prompt for UserID and PW and the user
> specifies a UserID of:
>
> ' Or 1=1 --
>
> Then the query could become the following, which would always return a
> Count
> > 1:
>
> SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password=''
>
> http://msdn.microsoft.com/msdnmag/issues/04/09/sqlinjection/default.aspx
> http://www.sommarskog.se/dynamic_sql.html
>
> "DazedAndConfused" <AceMago***@yahoo.com> wrote in message
> news:O188vJFwFHA.2072@TK2MSFTNGP14.phx.gbl...
>> For all access to the database I am forcing the ASP .NET account to use
>> procs and views and allowing no direct access to tables, will that
>> protect the database from access via IIS?
>>
>> Is that the common approach?
>>
>
>