Click here to Skip to main content
15,886,110 members
Search within:


If write dynamic query inside store procedure will it have threat of SQL Injection attack?

Aarti Meswania asked:

Open original thread
If write dynamic query inside store procedure will it have threat of SQL Injection attack?

this are two example...
SQL
create procedure Details
(
   @Date int,
   @CompId int
)
as 
begin

declare @a varchar(max); 

select @a = @a + ' select VouNo,VouDesc,convert(varchar(100),CAST(' + convert(varchar(100), Amount) + ' AS NUMERIC(18,'+ (select Afterpoint from tbl_setting where CompId = @CompId) + '))) as FormattedAmount from tbl_Trans where vouDate=' + @Date;

exec(@a);
 
end


SQL
Alter procedure VisitorDetails1
@name nvarchar(50),
@City nvarchar(100),
@Dept nvarchar(max),
@TableName nvarchar(50)
as
 
IF (EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME=@TableName)) 
--IF db_id('@TabName') IS NOT NULL
--IF OBJECT_ID('@TabName','U') is not null
begin
 
Declare @set nvarchar(50)
set @set='insert into '+@TableName+'(Name,City,Dept) values(''' + @name + ''',''' + @City + ''',''' + @Dept + ''')'
 
exec(@set)
Print 'Success'
end
else
begin
print 'Table is Not there'
end


I have used Dynamic SQL in these sps,...
Is it Easy to pass "SQL Injection" on these prod? if yes then how?
Tags: SQL Server 2000, SQL Server 2005, SQL Server

Plain Text
ASM
ASP
ASP.NET
BASIC
BAT
C#
C++
COBOL
CoffeeScript
CSS
Dart
dbase
F#
FORTRAN
HTML
Java
Javascript
Kotlin
Lua
MIDL
MSIL
ObjectiveC
Pascal
PERL
PHP
PowerShell
Python
Razor
Ruby
Scala
Shell
SLN
SQL
Swift
T4
Terminal
TypeScript
VB
VBScript
XML
YAML

Preview



When answering a question please:
  1. Read the question carefully.
  2. Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
  3. If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
  4. Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.
Let's work to help developers, not make them feel stupid.
Please note that all posts will be submitted under the http://www.codeproject.com/info/cpol10.aspx.


Advertise
Privacy
Cookies
Terms of Use
Last Updated 26 Mar 2009
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900