Home/ Questions/Q 1012217
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T09:54:46+00:00

Does passing SQL Parameters to a stored procedure alone ensure that SQL injection won’t

  • 0

Does passing SQL Parameters to a stored procedure alone ensure that SQL injection won’t happen or the type checks also need to be performed?

As an example –
ADO.NET Code: 

    Database DBObject = DataAccess.DAL.GetDataBase();
    DbCommand command = DBObject.GetStoredProcCommand("usp_UpdateDatabase");
    List<DbParameter> parameters = new List<DbParameter>();
    parameters.Add(new SqlParameter("@DbName", txtName.Text));
    parameters.Add(new SqlParameter("@DbDesc", txtDesc.Text));
    command.Parameters.AddRange(parameters.ToArray());
    rowsAffected = DBObject.ExecuteNonQuery(command);

SP:

ALTER PROCEDURE [dbo].[usp_GetSearchResults] 
 -- Add the parameters for the stored procedure here
  @DbName NVARCHAR(50)  = ''
 ,@DbDesc NVARCHAR(50)  = ''

AS
BEGIN
  SET NOCOUNT ON; 
  SELECT     [RegionName]
            ,[AppName]
  FROM  [ApplicationComponent]
  WHERE [DBName]  LIKE ('%' + @DbName+ '%')
  OR    [DBDesc]  LIKE ('%' + @DbDesc+ '%')
END

In the above code, I havent mentioned any parameter types or validation logic. Would it still preevnt SQL injection?

Thanks for the guidance!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, that should be fine. The value in the LIKE clause is still built up as a string value, rather than being interpreted as part of the SQL statement. It’s still being treated as data rather than code, and that’s the crucial part of avoiding SQL injection attacks.

    • 0