SQL injection in stored procedure request

Question

SQL injection in stored procedure request

I have a stored procedure that will return search results depending on what the user typed in the text box of a standard search. After pressing enter in the search box, I submit the request to search.aspx? Q = regardless of the user entered.

search.aspx has an sqldatasource that takes a querystring parameter and calls a stored procedure that joins several tables and contains the following, where are the sentences ...

where (description like '%' + @query + '%' or title like '%' + @query + '%' or calls.call_id like @query or r.firstname = @query or r.lastname = @query or n.note like '%' + @query + '%')

... is it safe for ie SQL injection using such parameters?

Thanks,

+4

sql sql-injection tsql asp.net xss

thegunner Mar 30 '13 at 3:05

source share

1 answer

Dan · Accepted Answer · 2013-03-30T03:27:32+0000

No, this is not amenable to SQL injection because it uses SQL parameters. Say someone tried to do an SQL injection by specifying @query as the value:

'; DROP TABLE STUDENTS;

You are still safe with the code you provided because the query is yours, except for a parameter that is not SQL; this is a string. Even if the string contains SQL, it is never executed if your stored procedure actually executed it. Never do this (unless you have a really good reason (but even then you should probably reverse engineer first)). SQL injection can be easily avoided by simply using parameters to sanitize user input.

SQL injection in stored procedure request

More articles: