I have a sp which takes input @featuretype. @featuretype will be equal to either

Question

0

Asked: June 10, 20262026-06-10T00:48:23+00:00 2026-06-10T00:48:23+00:00

I have a sp which takes input @featuretype. @featuretype will be equal to either

0

I have a sp which takes input @featuretype. @featuretype will be equal to either “mobile”, “login”, or “index”, and will correspond to a column in the db.

In my sp I have:

EXEC(
    'select TOP 3 * from featuredtypes_v where'+' featuredtypes_v.'+@featuretype+'Page=1'+
    ' order by featuredtypes_v.priority desc'
    )

However, I’ve been told this opens up the db to a sql injection. My two questions are, why is this, and how else can I write this query in order to avoid this?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-10T00:48:25+00:00

Editorial Team

2026-06-10T00:48:25+00:00Added an answer on June 10, 2026 at 12:48 am

Why don’t you use case?

select TOP 3 * 
from featuredtypes_v F
where
    case
        when @featuretype = 'mobile' then F.MobilePage
        when @featuretype = 'login' then F.LoginPage
        when @featuretype = 'index' then F.IndexPage
    end
    = 1

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a sp which takes input @featuretype. @featuretype will be equal to either

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply