SQL Injection in SQL Dynamic SQL Server -

i have stored procedure:

create procedure spc_common_lst1     @p_tables       nvarchar(max)   =   '',     @p_columns      nvarchar(max)   =   '*',     @p_conditions   nvarchar(max)   =   '(1 = 1)' begin     set @sql = 'select ' + @p_columns + ' ' + @p_tables + '     @p_conditions '      set @params = n' @p_conditions nvarchar(500)  ';      exec sp_executesql @sql, @params, @p_conditions  end

in where condition don't want have attack sql injection.

by when run stored procedure

execute spc_common_lst1 'm610','client_cd, client_nm','(client_cd = 0000010001) , (del_flag = 0)'

i error

an expression of non-boolean type specified in context condition expected, near '@p_conditions'

Trigger

Search This Blog

SQL Injection in SQL Dynamic SQL Server -

Comments

Post a Comment