Contents tagged with Injection
today I want to write a simple note on how to make stored procedures in MS SQL server which are protected from SQL injections.
Below goes example of SQL stored procedure, that is vulnerable to SQL injection attacks:
-- Bad code, don't use it ever
CREATE PROCEDURE SearchCustomers
DECLARE @query VARCHAR(100)
SET @query = 'SELECT * FROM Customer WHERE NAME LIKE ''%' + @searchCust + '%'''
Why it is bad? Because if somebody passes into @searchCust value or 1=1 --- then SQL will return all customers. If to add a bit more creativity it's possible to get from that database plenty of information.
If you wonder, … more