Group: General Forum Members
Last Login: Monday, October 21, 2013 3:10 AM
|Sean Lange (9/24/2013) enriquezreyjoseph (9/23/2013) Sean Lange (9/23/2013)
Instead of this:
SET @SqlQueryFirstName = '@SqlQuery ' + 'firstname = @firstname'
SET @SqlQueryFirstName = @SqlQuery + 'firstname ='+ @firstname
Instead of this, read the article that Jeff suggested. The approach of executing parameters is VERY VERY VERY bad idea.
Looks very interesting to me....can you give a link to me regarding "The approach of executing parameters is VERY VERY VERY bad idea"..??..
Thanks my friend
How about this one?http://bobby-tables.com/
If that doesn't explain it how about this simple code example.
--First we need to setup a table
create table MyLoginTable
LoginID int identity primary key,
select 'JModen', 'JModenPassword' union all
select 'GShaw', 'GShawPassword' union all
select 'SJones', 'SJonesPassword'
--Now we need to create a proc to pass our parameters
create proc MyLoginProc
declare @SQL varchar(200)
set @SQL = 'select * from MyLoginTable
where UserName = ''' + @UserName
+ ''' and UserPassword = ''' + @Password + ''''
--This looks pretty harmless. Why is executing parameters such a bad idea?
exec MyLoginProc 'jmoden', 'JModenPassword'
--what happens when you run this one?
exec MyLoginProc ''' or 1 = 1--', ''
--How about this one? I just cleaned up the proc and the table from your database by using parameters to a proc.
exec MyLoginProc ''' or 1 = 1;drop proc MyLoginProc; drop table MyLoginTable;--', ''
Still not convinced that executing parameters directly is a bad idea? Check out the article I suggested from Gail. It shows you how to use dynamic sql and keep it safe from sql injection.
Thank you sean ..your the champion....you made my day (-: