Menu
I am having a doubt about this situation.
I've a query like this within a Stored Procedure:
SELECT column1, column2
FROM table1
WHERE column1 like '%' + @column1 + '%'
My question is, this is vulnerable to SQL Injection? Do I need to change this to something like this: (?)
declare @column1Like nvarchar(200);
@column1Like = '%' + @column1 + '%'
SELECT column1, column2
FROM table1
WHERE column1 like @column1Like
Regards
415
The quick answer is no. To be vulnerable to SQL injection one must be using dynamic SQL execution.
This would be vulnerable:
EXECUTE ('SELECT column1, column2 FROM table1 WHERE column1 like ' + @column1Like);
That also means there is no real difference between both of your examples (from a security standpoint at least).
165
I think it is vulnerable, for example :
'%' or 1=1--
will show all registers of the database if you don´t format it like @column1Like.
In this case, I think it´s the same than (@column1Like= '' or @column1Like is null)
but you must think another examples like
'%' union select SELECT `column11`, `column22`
FROM table2 where `colum11` -- is the same type than `column1`
--and `column22` is the same type than `column22`.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
