Is the following SQL susceptible to SQL injection via the @SearchWord parameter?
I want to use parameters with the FormsOf function, but the only guide to doing so I’ve found is in this Stack Overflow question: How to pass parameter to FormsOf function in sql server
However the solution seems to be to use a bit of dynamic SQL, and I was wondering if that would be susceptible to SQL injection. What would happen in the following example if @searchWord contained a SQL injection type string? Is it not a problem because it’s still within a parameter, passed as an argument to FREETEXTTABLE?
The solution given is:
DECLARE @SearchWord nvarchar(max)
SET @SearchWord = 'tax'
DECLARE @SearchString nvarchar(max)
SET @SearchString = 'FormsOf(INFLECTIONAL, "' + @SearchWord + '")'
SELECT listing_id, RANK, name, address, city, zip, heading, phone
FROM listings a,
FREETEXTTABLE(listings, *, @SearchString)
WHERE [KEY] = a.listing_id
ORDER BY RANK DESC, name
No, it’s not susceptible. There’s no dynamic SQL here (that would require either using
EXECorsp_executesql), so there’s no vector for SQL injection.In order for a SQL injection vulnerability to exist, the user-supplied string (in this case
@SearchWord) must actually be inserted directly into the text of the SQL statement. Here, it’s only being used to construct another string variable, which is subsequently used as a parameter to another SQL statement.This statement can, however, fail if the user inputs an “invalid” search word, i.e. one containing single quotes, so you should probably still escape whatever value is passed to
@SearchWord. But it cannot be used to execute arbitrary SQL.