3 comments

[ 3.0 ms ] story [ 11.7 ms ] thread
This is link bait. Where is the stored procedure and ORM again? Of course you will be vulnerable if you do the query concatenation yourself!
He's using stored procedures to exec a block of sql he puts together. If you do it that way it's no different to slapping a query together directly in your code.

If you do it this way you avoid the string concatenation that enables sql injection + you don't need any table permissions just execute permission on the proc:

    ALTER PROCEDURE dbo.SearchWidgets 
      @SearchTerm VARCHAR(50)
    AS
    BEGIN
        DECLARE @filter VARCHAR(52)
        SELECT @filter = '%' + @SearchTerm + '%'
        SELECT Id, Name FROM dbo.Widget WHERE Name LIKE @filter
    END