I'm creating a SqlCommand
with the name of the stored procedure specified by the user in UserStoredProcedureName
using the following code:
new SqlCommand(UserStoredProcedureName, connection)
{ CommandType = CommandType.StoredProcedure }
There is no validation done on the string supplied by the user in UserStoredProcedureName
. Is the user only able to specify the name of stored procedures in the database? Is the user able to perform a SQL injection attack by crafting a malicious stored procedure name?
For example:
UserStoredProcedureName = "SELECT * FROM USERS";
You shouldn't let external code supply a stored procedure name. Reasons: the stored procedure could be sp_executesql
, which can run anything that you supply as the first pararmeter. It could also be xp_cmdshell
or similar.
So: you should still control the input stored procedure name via a white-list. If the name is coming from your own code, it shouldn't be a problem, and it isn't normal to white-list in that scenario.
Note: if a stored procedure internally uses EXEC (@sql)
or EXEC sp_executesql @sql
, then it can still present a SQL injection attack, depending on whether @sql
could contain malicious non-parameterized SQL. Note that sp_executesql
is designed to allow you to fully parameterize dynamic SQL, to avoid SQL injection attacks even inside SQL generated inside SQL.