Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How do I add double quotes to a SQL parameter variable (SQL Server 2008 R2) in a stored procedure safely?
I have this:
CREATE PROCEDURE procedure1 (@var1 NVARCHAR(100))
AS
DECLARE @var2 NVARCHAR(100);
SET @var2 = '"' + @var1 + '"';
SELECT * FROM TABLE1 WHERE CONTAINS(col1, @var2);
END
So is my SET @var2 statement vulnerable to SQL injection? Is there a recommended way of adding strings together?
That’s fine.
Issues with concatenating quotes and SQL injection only arise when you are doing so to create a SQL statement that you then
EXEC-ute in some manner.Concatenating them to a variable that is not itself concatenated into a SQL statement is not a SQL injection issue. The variable
@var2is treated as data rather than executable code throughout.