Full Disclosure mailing list archives
Re: [WEB SECURITY] Re: SQL Injection + Stored Procedures
From: "Chris Ramirez" <cramirez () corpedia com>
Date: Tue, 31 Oct 2006 15:35:55 -0700
Another option is to use INFORMATION_SCHEMA views to get the info. SELECT ROUTINE_DEFINITION FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_NAME = 'sp_whatever' More info on Information Schema views - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_ ia-iz_4pbn.asp Regards, Chris Ramirez Senior Software Engineer - Security Specialist Corpedia, Inc. - "Ethics and Compliance without Compromise (SM)" 2020 N. Central Avenue, Suite 1050 Phoenix, AZ 85004 Toll free: 877-629-8724 Phoenix: 602-712-9919 www.corpedia.com "In exclusive partnership with the Practising Law Institute (PLI) and LexisNexis, Corpedia develops and delivers the right compliance and ethics training to the right people at the right timeevery time." CONFIDENTIALITY NOTICE: This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email is addressed. If you have received this email in error, please notify the sender immediately by phone or email and destroy the original message without making a copy. Thank you. -----Original Message----- From: m.delibero () comcast net [mailto:m.delibero () comcast net] Sent: Tuesday, October 31, 2006 1:42 PM To: Andres Molinetti; full-disclosure () lists grok org uk Cc: websecurity () webappsec org Subject: [WEB SECURITY] Re: [Full-disclosure] SQL Injection + Stored Procedures Andres, Stored procedures are saved in the syscomments table in the text field. They are then tied to the sysobjects table by the field id. SELECT sc.Text FROM syscomments sc JOIN sysobjects so ON so.id = sc.id WHERE so.Name LIKE '%PROC_NAME%' That query would retrieve the body of the stored procedure based on the stored procedure name. Be warned that the stored procedure body can be in multiple rows depending on how big the sp is. Thanks, Mike de Libero -------------- Original message ---------------------- From: "Andres Molinetti" <andymolinetti () hotmail com>
HI, Does anyone know how to get the body of a stored procedure in MS SQL Server through a SELECT statement? In other words, are the Stored Procedures bodies saved in any accesible system table? Cheers, Andy. _________________________________________________________________ Grandes �xitos, superh�roes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu m�vil. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SQL Injection + Stored Procedures Andres Molinetti (Oct 31)
- <Possible follow-ups>
- Re: SQL Injection + Stored Procedures m . delibero (Oct 31)
- Re: [WEB SECURITY] Re: SQL Injection + Stored Procedures Chris Ramirez (Oct 31)