Can I get SQL injection attack from SELECT statement?

Question

2 Questions actually:

I know i must use Stored Procedures as much as Possible, but i would like to know the following please.

A: Can i get a SQL Injection attack from a SELECT statement such as (Select * from MyTable) ?

B: Also, can i get a SQL Injection attack when I use the SQLDataSource in ASP.NET?

Answer 1

You can get an SQL injection attack anytime that you are not using parameterized queries, for the most part.

If your example,

 SELECT * from MyTable

there isn't any user-inputted data, so that should be fine. However, something like:

 SELECT * from MyTable WHERE name='x'

(x being a parameter) then there's a chance that someone injects some SQL into their name.

B: ASP.NET uses parameterized queries because it builds the query based on the parameters that you provide programmatically.