Home/ Questions/Q 7942599
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T00:01:31+00:00

How do I prevent SQL attack in input parameters? Unsafe characters (‘ ) I

  • 0

How do I prevent SQL attack in input parameters? Unsafe characters (‘ “)

I have the following stored procedure:

I would like to protect the inputs – @NICKNAME_USER, @PASSWORD_USER

IF  EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[SP_AUTH]') AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[SP_AUTH]
GO

CREATE PROCEDURE [dbo].[SP_AUTH]    (@ACTION    INT = NULL,
                                     @NICKNAME_USER VARCHAR(250) = NULL,
                                     @PASSWORD_USER VARCHAR(250) = NULL)
AS
BEGIN TRY
    IF @ACTION = 'L'
         BEGIN

    SELECT  U.ID AS ID_USER, 
            U.NICKNAME AS NICKNAME
            FROM dbo.T_USERS AS U WITH (NOLOCK)
            WHERE U.NICKNAME = @NICKNAME_USER
            AND U.PASSWORD = @PASSWORD_USER
   END
END TRY
BEGIN CATCH

    DECLARE @ErrorMessage NVARCHAR(4000),
            @ErrorSeverity INT,
            @ErrorState INT

    SELECT 
        @ErrorMessage = ERROR_MESSAGE(),
        @ErrorSeverity = ERROR_SEVERITY(),
        @ErrorState = ERROR_STATE();

    RAISERROR (@ErrorMessage, -- Message text.
               @ErrorSeverity, -- Severity.
               @ErrorState -- State.
               );
END CATCH
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Just using procedures with parameters will prevent you from sql injection. For further info on msdn is here.

    • 0