Yelena Varshal (7/25/2008)
Brian,The app uses sp_executesql, this is from the profiler that I just ran for the PW change. The password I submitted to the app was completely different.
execute sp_executesql N'sp_password NULL, ''milm434567'', ''test'''
Disclamer # 1: I create cases with the vendor for a number of years to improve handling logins.
Disclamer # 2 I know that dynamic statements are not safe.
Argh. You're right. If you call it through dynamic SQL it doesn't hide it. Not good.
K. Brian Kelley
@kbriankelley