I have a report that uses a parameterized query to select the dataset available to the report. This is set by a report parameter of the same name. Then I read in the MSDN article http://msdn.microsoft.com/en-us/library/ms155908(v=SQL.100).aspx on setting parameters in a published report about the possibility of SQL injection to be used in report parameters that match up with query parameters. (We won't even go into the issue on how every database developer has had it beat into his or her head that the way to beat SQL injection was to use parameterized queries.) The article said the way to beat this was to make a list of valid values for the parameter. OK I have several thousand valid values but in BIDS you can set the valid values for a report parameter by specifying get the report get the values from a query. The problem is instead of letting you provide the text of a query to be utilized it provides selection of a dataset and the field in the dataset. So I do this. But now instead of just comparing entry to a list of valid values, it provides a drop down showing all the many thousands of possible valid values. It is stupid to provide a drop down of many thousand values. So how do I protect against SQL injection while making a usable report. This report is for SSRS 2008 in bids 2008 Edward R. Joell MCSD MCDBA

I tried to carry out some SQL injection in a query using a database parameter to query the data for the report. I had created a table in my database. Then I logged out of windows as someone with rights of SA and logged back in as someone whose WA login was mapped to db_datareader. I then ran the report as that person. I used SQL injection to issue a drop table command. Nothing happened. So it would appear that sql injection on report parameters mapped to database parameters does not work either at all or unless you have rights to the database. Is this correct? Edward R. Joell MCSD MCDBA