CREATE TABLE Students (
id INT PRIMARY KEY IDENTITY(1,1),
FirstName NVARCHAR(200),
LastName NVARCHAR(200))
INSERT INTO Students ('John', 'Doe')
CREATE PROCEDURE sp_SelectStudent (
@StudentName VARCHAR(200)
)
AS
BEGIN
SELECT * FROM Students WHERE FirstName = @StudentName
END
GO
EXEC sp_SelectStudent 'John'
EXEC sp_SelectStudent 'John''; EXEC sp_HelpUser --'
ALTER PROCEDURE sp_SelectStudent2 (
@StudentName VARCHAR(200)
)
AS
BEGIN
DECLARE @Query NVARCHAR(500)
SET @Query = 'SELECT * FROM Students WHERE FirstName = ''' + @StudentName + ''''
PRINT @Query
EXECUTE(@Query)
END
GO
CREATE TABLE Sacrifice (
id INT PRIMARY KEY,
Field1 NVARCHAR(200)
)
EXEC sp_SelectStudent2 'John'
EXEC sp_SelectStudent2 'John''; DROP TABLE Sacrifice --'
EXEC sp_SelectStudent2 'John''; EXEC sp_HelpUser --'
|
Comments (0)
You don't have permission to comment on this page.