If write dynamic query inside store procedure will it have threat of SQL Injection attack?

Question

0.00/5 (No votes)

See more:

SQL-server-2000

SQL-Server-2005

, +

If write dynamic query inside store procedure will it have threat of SQL Injection attack?

this are two example...

SQL

create procedure Details
(
   @Date int,
   @CompId int
)
as 
begin

declare @a varchar(max); 

select @a = @a + ' select VouNo,VouDesc,convert(varchar(100),CAST(' + convert(varchar(100), Amount) + ' AS NUMERIC(18,'+ (select Afterpoint from tbl_setting where CompId = @CompId) + '))) as FormattedAmount from tbl_Trans where vouDate=' + @Date;

exec(@a);
 
end

SQL

Alter procedure VisitorDetails1
@name nvarchar(50),
@City nvarchar(100),
@Dept nvarchar(max),
@TableName nvarchar(50)
as
 
IF (EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME=@TableName)) 
--IF db_id('@TabName') IS NOT NULL
--IF OBJECT_ID('@TabName','U') is not null
begin
 
Declare @set nvarchar(50)
set @set='insert into '+@TableName+'(Name,City,Dept) values(''' + @name + ''',''' + @City + ''',''' + @Dept + ''')'
 
exec(@set)
Print 'Success'
end
else
begin
print 'Table is Not there'
end

I have used Dynamic SQL in these sps,...
Is it Easy to pass "SQL Injection" on these prod? if yes then how?

Posted 7-Feb-13 19:20pm

Aarti Meswania

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

_Maxxx_ · Accepted Answer · 2013-02-07T20:04:00

Solution 1

In yr 2nd example, if I called the SP with parameter name parameter something like

"'x','y','z'); drop table Customer;"

tehn your @set will be something like

insert into mytable (name, city,dept) values('x','y','z'); drop table Customer;

which probably isn't what you want.

Posted 7-Feb-13 20:04pm

_Maxxx_

Comments

Aarti Meswania 8-Feb-13 2:24am

then my statement in second sp will be..

insert into mytable (name, city,dept) values('x','y','z''); drop table Customer');

not

insert into mytable (name, city,dept) values('x','y','z'); drop table Customer;

Am I right? so it will not be effected by sql injection
because
"'z'); drop table Customer;"
will taken as value for last parameter 'z'
so... the query will insert this string "'z'); drop table Customer;" inside z column it will not execute it :)

_Maxxx_ 8-Feb-13 5:38am

My text was just an example(I said 'something like' ) typed on the fly - get the quotes right & I think you could pass one or more parameters in such a way as to inject sql

Aarti Meswania 8-Feb-13 5:40am

okay I got it you are right

thank you for response :)