I study so much about SQL Injection and how to prevent it.
But I have a doubt related to SQL Injection:
I know that SQL Injection is Possible in Dynamic Queries,
Like
ALTER PROCEDURE sp_GetProduct(@Name NVARCHAR(50))
AS
BEGIN
DECLARE @sqlcmd NVARCHAR(MAX);
SET @sqlcmd = N'SELECT * FROM tbl_Product WHERE Name = ''' + @Name + '''';
EXECUTE(@sqlcmd)
END
and attack is possible by just passing value of @name variable as:
Shampoo'; DROP TABLE tbl_Product; --
Now I use Non-Dynamic Query in SP
Like:
ALTER PROCEDURE sp_GetProduct(@Name NVARCHAR(50))
AS
SELECT * FROM tbl_Product WHERE Name = @Name;
So My Question Is: When I use Non-Dynamic Queries,
Q1. SQL injection is Possible and If yes then
Q2. How...
Give me some ideas......