SQL Injection in Stored Procedure & Preventing from the same
Posted September 30th, 2009 by Dhiraj RankaFollowing is the small example of creating a stored procedure.
====================================================================
CREATE PROC sp_login (@loginid nvarchar(25),@password nvarchar(25))
AS
DECLARE @SQLString VARCHAR(500)
DECLARE @loginid VARCHAR(64)
DECLARE @password VARCHAR(64)
/* Build the SQL string once.*/
SET @SQLString = ‘SELECT * from cust_users WHERE login_id = ‘+ ””+@loginid+”” + ‘AND password = ‘+ ””+@password+””
EXECUTE sp_executesql @SQLString
Read the rest of this entry »
Filed under:Secure Coding, Sql Injection