Home Forums SQL Server 7,2000 T-SQL Avoiding injection on stored procedure RE: Avoiding injection on stored procedure

  • March 18, 2009 at 12:29 pm

    #962165

    bitbucket (3/18/2009)

    Might I suggest:

    CREATE PROCEDURE USPDeleteAnswers

    @Id varchar(50),

    @QId varchar(100)

    AS

    DECLARE @SQL nvarchar(255)

    SET @SQL = 'DELETE FROM tblUserAnswer where Id = ''' + @Id + ''' and QuestionId in (' + @QId + ' )'

    PRINT @SQL -- delete after testing

    EXEC sp_executesql @SQL

    Test run as:

    Dbo.USPDeleteAnswers 'abcdeid', '1,5,20'

    Then alter the SP to delete the print statement

    Note that each passed parameter is passed in character / varchar format, that is do not forget the ' ' surrounding each passed value.

    Since the title of this thread is “Avoiding injection on stored procedure”, have you considered what would happen if they passed the following as parameters:

    Execute USPDeleteAnswers @Id = 'abc', @QuestionId = ' 1,3 ) or 1 = 1 -- '