SQL Injection in stored procedures

Viewing 1 reply thread
  • Author
    • #7457

      So, I know that stored procedures are still vulnerable to SQLi if the parameters are not handled properly, but I’m no SQL guru and need some help.

      We all know that a query like this is still vulnerable:
      SELECT @sql = @sql + ‘ ProductName LIKE ”’ + @prodname + ””

      What about queries like this:
      SELECT id FROM products WHERE name LIKE ‘%’ + @description + ‘%’

      Is the description parameter still vulnerable because it is concatenated, or is it safe because it doesn’t have the quotes around it?
      Thanks for your help!

    • #46565

      Hmm, not much help around here this week, eh? I think I figured this one out and concluded that the second query is not vulnerable.

Viewing 1 reply thread
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?