[dba-SQLServer] SQL Injection and Sprocs

Stuart McLachlan stuart at lexacorp.com.pg
Tue Aug 29 16:33:21 CDT 2006


On 29 Aug 2006 at 13:50, Francisco Tapia wrote:

> There is one bad form,  A developer who used to work here took it upon
> himself to use a "global" sproc, in wich it takes an @nText parameter
> and executes it in the stored procedure.  blah!

Ouch!

Let me rephrase my last post:

By forcing these user-input parameters into sproc parameters, they become 
"just data" inside the sproc and there is no way for them to  actually be 
executed.......unless the sproc is deliberately written to execute the 
parameter :-(




-- 
Stuart





More information about the dba-SQLServer mailing list