Menu
I have a sp which takes input @featuretype. @featuretype will be equal to either "mobile", "login", or "index", and will correspond to a column in the db.
In my sp I have:
EXEC(
'select TOP 3 * from featuredtypes_v where'+' featuredtypes_v.'+@featuretype+'Page=1'+
' order by featuredtypes_v.priority desc'
)
However, I've been told this opens up the db to a sql injection. My two questions are, why is this, and how else can I write this query in order to avoid this?
933
Why don't you use case?
select TOP 3 *
from featuredtypes_v F
where
case
when @featuretype = 'mobile' then F.MobilePage
when @featuretype = 'login' then F.LoginPage
when @featuretype = 'index' then F.IndexPage
end
= 1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
