bitbucket (3/18/2009)
Might I suggest:
CREATE PROCEDURE USPDeleteAnswers
@Id varchar(50),
@QId varchar(100)
AS
DECLARE @SQL nvarchar(255)
SET @SQL = 'DELETE FROM tblUserAnswer where Id = ''' + @Id + ''' and QuestionId in (' + @QId + ' )'
PRINT @SQL -- delete after testing
EXEC sp_executesql @SQL
Test run as:
Dbo.USPDeleteAnswers 'abcdeid', '1,5,20'
Then alter the SP to delete the print statement
Note that each passed parameter is passed in character / varchar format, that is do not forget the ' ' surrounding each passed value.
Since the title of this thread is “Avoiding injection on stored procedure”, have you considered what would happen if they passed the following as parameters:
Execute USPDeleteAnswers @Id = 'abc', @QuestionId = ' 1,3 ) or 1 = 1 -- '