|
Title: SQL Injection in stored procedures Post by: eyenit0 on March 28, 2012, 09:05:29 AM So, I know that stored procedures are still vulnerable to SQLi if the parameters are not handled properly, but I'm no SQL guru and need some help.
We all know that a query like this is still vulnerable: SELECT @sql = @sql + ' ProductName LIKE ''' + @prodname + '''' What about queries like this: SELECT id FROM products WHERE name LIKE '%' + @description + '%' Is the description parameter still vulnerable because it is concatenated, or is it safe because it doesn't have the quotes around it? Thanks for your help! Title: Re: SQL Injection in stored procedures Post by: eyenit0 on March 29, 2012, 02:44:28 PM Hmm, not much help around here this week, eh? I think I figured this one out and concluded that the second query is not vulnerable.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |