If write dynamic query inside store procedure will it have threat of SQL Injection attack?
this are two example...
create procedure Details
(
@Date int,
@CompId int
)
as
begin
declare @a varchar(max);
select @a = @a + ' select VouNo,VouDesc,convert(varchar(100),CAST(' + convert(varchar(100), Amount) + ' AS NUMERIC(18,'+ (select Afterpoint from tbl_setting where CompId = @CompId) + '))) as FormattedAmount from tbl_Trans where vouDate=' + @Date;
exec(@a);
end
Alter procedure VisitorDetails1
@name nvarchar(50),
@City nvarchar(100),
@Dept nvarchar(max),
@TableName nvarchar(50)
as
IF (EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME=@TableName))
begin
Declare @set nvarchar(50)
set @set='insert into '+@TableName+'(Name,City,Dept) values(''' + @name + ''',''' + @City + ''',''' + @Dept + ''')'
exec(@set)
Print 'Success'
end
else
begin
print 'Table is Not there'
end
I have used Dynamic SQL in these sps,...
Is it Easy to pass "SQL Injection" on these prod? if yes then how?