kelsie_85 (kelsie_85) wrote in webdev,
kelsie_85
kelsie_85
webdev

SQL injection .NET

The pentesters told use that the following code is vulnerable to SQL injection in our e-store:

create procedure dbo.uspBeAfraidBeVeryAfraid ( @p1 varchar(64) )
AS
SET NOCOUNT ON
declare @sql varchar(512)
set @sql = 'select * from ' + @p1
exec(@sql)
GO


How I should fix the issue?
Subscribe
  • Post a new comment

    Error

    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 6 comments