Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
We currently receive parameters of values as VARCHAR‘s, and then build a date from them. I am wanting to confirm that the method below would stop the possibility of SQL injection from this statement:
select CONVERT(datetime, '2010' + '-' + '02' + '-' + '21' + ' ' + '15:11:38.990')
Another note is that the actual parameters being passed through to the stored proc are length bound at (4, 2, 2, 10, 12) VARCHAR‘s in correspondence to the above.
if you put use the statement like this, within a stored procedure:
then you should be fine, since the target datatype
datetimewill only receive valid date strings.if you use it like this in your stored procedure:
you could have an issue, unlikely, since the input strings are limited to a short length, but who knows what some hacker will think up to fit in that tiny space.