Can SqlServer be configured to not execute stored procs represented as strings?

Question

Can SqlServer be configured to not execute stored procs represented as strings?

Scenario A:

SqlConnection con = new SqlConnection(myConnString);
SqlDataAdapter adp = new SqlDataAdapter("EXEC spGetUserInfo 42", con);
DataSet ds;
adp.Fill(ds);

Scenario B:

SqlConnection con = new SqlConnection(myConnString);
SqlCommand cmd = new SqlCommand();
cmd.Connection = con;
cmd.CommandText = "spGetUserInfo";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add(new SqlParameter("@UserID", 42));
SqlDataAdapter adp = new SqlDataAdapter(cmd);
DataSet ds;
adp.Fill(ds);

Question

In a discussion of how to strengthen SqlServer from sql injection attacks separately from modifying the code of the main application that calls the database, the question was asked if SqlServer can be configured to simply not execute stored procs written as script A, only allowing execution requests written in the form of scenario B. The theory is that scenario A would be vulnerable to injection if the host application did not perform input validation, allowing something like "EXEC spGetUserInfo 42; drop database foo; -" can be executed, while scenario B just can’t fulfill where SqlServer cannot convert "42; drop database foo; -" to an integer.

SqlServer, procs, Scenario A?

+3

security sql-injection sql-server

Mike C. 18 . '09 20:18

3

, SQL Server . , , SQL Server , SQL Server, . - , .

SQL Injection - .

+2

mrdenny 13 . '12 2:25

: , TDS :

http://www.sybase.com/content/1040983/Sybase-tds38-102306.pdf

TDS_LANGUAGE , SQL Server .

CommandText, , .

0

richardtallent 18 . '09 20:23

RBarryYoung · Accepted Answer · 2009-09-18T20:37:13+0000

, .

, , , - - , RPC- SQL Server, ".StoredProcedure" RPC, SQL . , , , .

( ) , / CONNECT , . SCHEMA / (, , ..). , EXECUTE . SQL, - - ( ).

Can SqlServer be configured to not execute stored procs represented as strings?

More articles: