I am executing MS SQL Server SPROCSs through a Perl program. The critical piece of code that sets up the execute statement follows:
$Command = join(' ',
@CHOICE[1 .. $elements_in_array])) . '';
I really want advice on the best way of preventing a malicious injection attack or some other attack. I guess that it might be an idea to limit the SPROCs that can be called. It might be an idea to make it impossible to activate any SPROC that is a system SPROC. That would require screening of the $SPROC variable. Should I exclude the possibility of @CHOICE containing a variable that has DELETE in it. Or a variable that has ‘;’ in it. Is there anything else that I should do?