Do stored procedures prevent SQL injection?
No, stored procedures do not prevent SQL injection. Here’s an actual example of a stored procedure that unfortunately permits SQL injection:
CREATE PROCEDURE [dbo].[sp_colunmName2]
@columnName as nvarchar(30),
@type as nvarchar(30),
@searchText as nvarchar(30)
AS
BEGIN
DECLARE @SQLStatement NVARCHAR(4000)
BEGIN
SELECT @SQLStatement = 'select * from Stations where ' + @columnName + ' ' + @type + ' ' + '''' + @searchText + ''''
EXEC(@SQLStatement)
END
END
GO
The developer’s idea was to create a versatile search procedure, but the result is that the WHERE clause can … Click here to continue reading.