Stored procedure is as follows: CREATE PROCEDURE Foo @bar varchar(100) AS SELECT * FROM

Question

0

Asked: May 17, 20262026-05-17T21:35:47+00:00 2026-05-17T21:35:47+00:00

Stored procedure is as follows: CREATE PROCEDURE Foo @bar varchar(100) AS SELECT * FROM

0

Stored procedure is as follows:

CREATE PROCEDURE Foo
    @bar varchar(100)
AS

SELECT * FROM tablename
WHERE columnname LIKE '%' + @bar + '%'

I’ve tried passing various strings to this stored procedure, but to me it looks like this would be safe from a SQL injection since everything between and including the wildcards would result in a single string.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-17T21:35:48+00:00

Editorial Team

2026-05-17T21:35:48+00:00Added an answer on May 17, 2026 at 9:35 pm

If you are using C# and your code looks like this:

SqlCommand command = new SqlCommand("Foo", connection);
command.CommandType = CommandType.StoredProcedure;
command.Parameters.AddWithValue("@bar", myTextBox.Text);

then yes!

If it looks like this:

SqlCommand command = new SqlCommand("EXEC Foo '" + myTextBox.Text + "'", connection);

then no!

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Stored procedure is as follows: CREATE PROCEDURE Foo @bar varchar(100) AS SELECT * FROM

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply