Why does SQL Injection not happen on this query inside a stored procedure?
20
votes
2
answers
4533
views
I made the following stored procedure:
ALTER PROCEDURE usp_actorBirthdays (@nameString nvarchar(100), @actorgender nvarchar(100))
AS
SELECT ActorDOB, ActorName FROM tblActor
WHERE ActorName LIKE '%' + @nameString + '%'
AND ActorGender = @actorgender
Now, I tried doing something like this. Maybe I am doing this wrong, but I want to be sure that such a procedure can prevent any SQL Injection:
EXEC usp_actorBirthdays 'Tom', 'Male; DROP TABLE tblActor'
The image below shows the SQL above being executed in SSMS and results being displayed correctly instead of an error:
Btw, I added that part following the semicolon after the query was done executing. Then I executed it again, but when I checked to see if the table tblActor exists or not, it was still there. Am I doing something wrong? Or is this really injection-proof? I guess what I am trying to ask here also is that is a stored procedure like this safe? Thank you.
Btw, I added that part following the semicolon after the query was done executing. Then I executed it again, but when I checked to see if the table tblActor exists or not, it was still there. Am I doing something wrong? Or is this really injection-proof? I guess what I am trying to ask here also is that is a stored procedure like this safe? Thank you.
Asked by Ravi
(677 rep)
Nov 17, 2015, 02:56 AM
Last activity: Jul 10, 2023, 05:35 PM
Last activity: Jul 10, 2023, 05:35 PM