Title: SQL Injection in stored procedures
Post by: eyenit0 on March 28, 2012, 09:05:29 AM
So, I know that stored procedures are still vulnerable to SQLi if the parameters are not handled properly, but I'm no SQL guru and need some help.
We all know that a query like this is still vulnerable:
SELECT @sql = @sql + ' ProductName LIKE ''' + @prodname + ''''
What about queries like this:
SELECT id FROM products WHERE name LIKE '%' + @description + '%'
Is the description parameter still vulnerable because it is concatenated, or is it safe because it doesn't have the quotes around it?
Thanks for your help!
Title: Re: SQL Injection in stored procedures
Post by: eyenit0 on March 29, 2012, 02:44:28 PM
Hmm, not much help around here this week, eh? I think I figured this one out and concluded that the second query is not vulnerable.