.

SQL Injection in stored procedures

<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Wed Mar 28, 2012 9:05 am

SQL Injection in stored procedures

So, I know that stored procedures are still vulnerable to SQLi if the parameters are not handled properly, but I'm no SQL guru and need some help.

We all know that a query like this is still vulnerable:
SELECT @sql = @sql + ' ProductName LIKE ''' + @prodname + ''''

What about queries like this:
SELECT id FROM products WHERE name LIKE '%' + @description + '%'

Is the description parameter still vulnerable because it is concatenated, or is it safe because it doesn't have the quotes around it?
Thanks for your help!
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Thu Mar 29, 2012 2:44 pm

Re: SQL Injection in stored procedures

Hmm, not much help around here this week, eh? I think I figured this one out and concluded that the second query is not vulnerable.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software