To SP or not to SP in SQL Server

Just read this article, I am stronge following to SPs. Of of the points highlighted in this were a bit of suprise to me.

Using SPs make it more likely that you will pass parameters the
right way, but there is no guarantee.

I thought it is possible to do it in SPs when I saw an SP like:

@SQLStatement varchar(8000)
EXEC @SQLStatement

I talked to the developer about this, they did this so they wouldn’t have to create SPs for all the adhoc code they have, and they were kind of trying to follow the rule only code gets exectued by means of stored procedures.

But according to Douglas, it is pobbile to do it other ways. I would like to find other ways to do SQL Injection, not to execute it but to understand SQL Injection in further depth.

Ref Link:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.