My web server has MsSql at the back-end and asp at the front-end. A UserID, Password, and a dynamically generated code field are present on the website for the user to logon. There are other features in the website such as search n advanced search.
At the back-end, we are using stored procedures to secure against injection attacks. However, according to a result audit done on the site using tools (both commercial n open-source), the results have been otherwise. A clear situation of successful Sql injection attack has been shown in the report (in the advanced search field and other pages).
My question and concern is:
a) Does using stored procedures not thwart the Injection attack?
b) What other possible method can i implement to ensure consistency n security over the site.
c) How do I test the security myself (with or without the third-party tools)?
Your opinions and suggestions are welcome.
Thanks.
