In the below sample code, Table Name is an input parameter. In this case, how can I avoid SQL injection using sp_executesql. Below is the sample code, I am trying to use sp_executesqlto avoid it but it doesn't work. Can anyone tell me how to correct it?
ALTER PROC Test @param1 NVARCHAR(50),
@param2 INT,
@tblname NVARCHAR(100)
AS
BEGIN
DECLARE @sql NVARCHAR(1000)
SET @sql= N' select * from ' + @tblname
+ ' where name= @param1 and id= @param2';
PRINT @sql
EXEC Sp_executesql
@sql,
N'@param1 nvarchar(50), @param2 int',
@param1,
@param2;
END
EXEC Test
'John',
2,
' emp; delete from emp where id = 567; select * from emp '
Output: Print message:
select * from emp; delete from emp where id = 567; select * from emp where name= @param1 and id= @param2;
All the input parameters are exactly substituted and one row is deleted. Please let me know how to handle this scenario.
You can enclose the table name in []
SET @sql= N' select * from [' + @tblname + '] where name= @param1 and id= @param2';
However, if you use a two-part naming convention e.g dbo.tablename, you have to add additional parsing, since [dbo.tablename] will result to:
Invalid object name [dbo.tablename].
You should parse it so that it'll be equal to dbo.[tablename].