SQL Injection Possible in Non-Dynamic Query in Stored Procedures

Question

0.00/5 (No votes)

See more:

I study so much about SQL Injection and how to prevent it.

But I have a doubt related to SQL Injection:

I know that SQL Injection is Possible in Dynamic Queries,
Like

SQL

ALTER PROCEDURE sp_GetProduct(@Name NVARCHAR(50))
AS
BEGIN
    DECLARE @sqlcmd NVARCHAR(MAX);
    SET @sqlcmd = N'SELECT * FROM tbl_Product WHERE Name = ''' + @Name + '''';

    EXECUTE(@sqlcmd)
END

and attack is possible by just passing value of @name variable as:

Shampoo'; DROP TABLE tbl_Product; --

Now I use Non-Dynamic Query in SP
Like:

SQL

ALTER PROCEDURE sp_GetProduct(@Name NVARCHAR(50))
AS
    SELECT * FROM tbl_Product WHERE Name = @Name;

So My Question Is: When I use Non-Dynamic Queries,
Q1. SQL injection is Possible and If yes then
Q2. How...
Give me some ideas......

Posted 18-Jun-14 2:17am

Arun kumar Gauttam

Updated 18-Jun-14 17:32pm

v4

Add a Solution

Comments

Mike Meinz 18-Jun-14 8:20am

SELECT * FROM tbl_Product WHERE Name = @Name; does not allow SQL Injection attack because the contents of @Name is treated as a parameter value that is compared to the database column name rather than as a part of the SQL statement to be parsed.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2014-06-18T02:23:00

Solution 1

No.
A parameter is different: it doesn't go through the SQL input parser, which is where SQL injection happens.
Because @Name is never parsed - just it's content used to compare with DB items - it cannot be executed and so there can be no injection into the SQL command.

Posted 18-Jun-14 2:23am

OriginalGriff