Sample Header Ad - 728x90

Is this SQL Procedure "injection proof"?

10 votes
6 answers
2929 views
sql-server t-sql security sql-injection
Most all answers and examples of SQL injection are showing some form of dynamic SQL or interpreting parameters as SQL. I haven't been able to find an example of the "correct" way. Microsoft and Oracle's documentation just shows examples of what not to do. So, I figured I should ask if this example of a stored procedure was protected against SQL injection attacks. 
CREATE PROCEDURE test
    @username = varchar(30)
    @password = varchar(30)
AS
BEGIN
    SELECT *
    FROM credentials
    WHERE username = @username
    AND password = @password;
END
GO
Would this particular procedure be susceptible to SQL injections? I created the procedure and executed it with various attempts to inject SQL, such as EXEC test @password = '0; drop table credentials;', but was unable to do so. I figure I might not be doing the attack correctly.
Asked by UpTide (271 rep)
Mar 15, 2023, 03:06 PM
Last activity: Mar 17, 2023, 05:59 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Database Administrators

More questions tagged "sql-server"
More questions tagged "t-sql"
More questions tagged "security"
Footer Ad - 728x90