Home/ Questions/Q 269187
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T23:47:48+00:00

2 Questions actually: I know i must use Stored Procedures as much as Possible,

  • 0

2 Questions actually:

I know i must use Stored Procedures as much as Possible, but i would like to know the following please.

A: Can i get a SQL Injection attack from a SELECT statement such as (Select * from MyTable) ?

B:
Also, can i get a SQL Injection attack when I use the SQLDataSource in ASP.NET?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To answer your questions.

    A: Yes, you can get an SQL Injection attack from any query that takes parameters (even calling stored procedures if you are not using the provided methods by your platform and doing it via SQL calls).

    I was asked to provide an example of how an injection can be made even by using stored procedure. I’ve seen applications developed that do use stored procedures, but in this way:

    // C# - DON'T DO THIS!
String regionName = assignedSomewhereElse();
SQLCommand sqlCmd = DatabaseConnection.CreateCommand();
SQLCommand sqlCmd.CommandText =
    String.Format("EXECUTE sp_InsertNewRegion '{0}'", regionName);

sqlCmd.ExecuteNonQuery();

    Obviously, this is not the way to call a stored procedure. You should use your platform’s abstractions or parametrized queries.

    B: SQLDataSource is an abstraction layer for your database. It will create the SQL queries for you and automatically sanitize them in order to prevent injection.

    In order to avoid injection, either:

    • Sanitize your inputs
    • Use the abstraction layer provided by your platform.
    • Use parametrized queries.
    • 0