Reputation: 757
How much damage can SQL injection do via this stored procedure?
Recently chanced upon a stored procedure hardcoded by predecessors to perform some CRUD. It affects non-critical tables in production database. I feel like it's vulnerable to SQL injection but seems like the injection is really harmless as it's performing CRUD on non-critical tables.
The @LocalDatabase parameter is passed in from the connectionString="Server=localHost;Database=localDatabase;..." in config file.
I was wondering if a possible SQL injection in this specific SP can catastrophically harm the production database? I'm weighing the cost-benefit of rewriting this whole module.
ALTER PROCEDURE StoredProc_Name
(
@LocalDatabase varchar(50),
@Result int OUTPUT
)
SET @Sql = N'UPDATE <Production Database>.Table1
SET ...
FROM <Production Database>.NewTable INNER JOIN
'+ @LocalDatabase +'.dbo.Table1 ON ... INNER JOIN
'+ @LocalDatabase +'.dbo.Table2 ON ...
WHERE NOT EXISTS(SELECT 1
FROM <Production Database>.dbo.Table2
WHERE .....)'
EXEC(@Sql)
SET @Result = @@ROWCOUNT
Appreciate any advice or help in pointing in the right direction. Thanks in advance.
Upvotes: 0
Views: 54
Answers (1)
Reputation: 50728
As long as the user isn't affecting the value passed in as @LocalDatabase, this approach would be OK. Not using dynamic SQL would be better, but this approach can work...
Upvotes: 1
Related Questions
- How to write a safe stored procedure
- Is this way to execute procedure is safe from SQL Injection?
- How vulnerable is the this dynamically created sql?
- Sql injection on stored procedure
- Is this Stored Procedure is safe from SQL Injection?
- Are stored procedures safe from SQL injections?
- Is this stored procedure vulnerable to SQL Injection?
- Is this stored procedure safe from SQL injection?
- Is this stored procedure safe from sql injection?
- Are SQL stored procedures secure?