This can be easily injected here because the @ID param can be practically anything

Question

0

Asked: May 27, 20262026-05-27T13:28:35+00:00 2026-05-27T13:28:35+00:00

This can be easily injected here because the @ID param can be practically anything

0

This can be easily injected here because the @ID param can be practically anything in this SQL statement by inputting it, however, how do you prevent this exploit?

I prefer to specifically prevent this exploit at this level rather than application level, any suggestions?

CREATE PROCEDURE [dbo].[GetDataByID]
@ID bigint,
@Table varchar(150)
AS
BEGIN

Declare @SQL Varchar(1000)

SELECT @SQL = 'SELECT * FROM ' + @Table + ' WHERE ID = ' + CONVERT(varchar,@ID)

SET NOCOUNT ON;

EXEC(@sql)  
END

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-27T13:28:36+00:00

Editorial Team

2026-05-27T13:28:36+00:00Added an answer on May 27, 2026 at 1:28 pm

Check this page, it has a wonderful guide to dynamic sql, and the options to execute them safely

In your case it should be like this:

SELECT @SQL =  N'SELECT * FROM ' + quotename(@Table) + N' WHERE ID = @xid' 
EXEC sp_executesql @SQL, N'@xid bigint', @ID

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

This can be easily injected here because the @ID param can be practically anything

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply