October 24, 2006

Parameterized query

Here are some parameterized query examples


-- Get the text of the SysObjects view.
exec sp_executesql N'exec sp_helptext @objname=@p0',N'@p0 varchar(50)',@p0='sysobjects'
-- Query the SysObjects view.
exec sp_executesql N'select * from master..sysobjects where name=@p0',N'@p0 varchar(50)',@p0='sysusers'
-- Attempt SQL injection...fails.
exec sp_executesql N'select * from master..sysobjects where name=@p0',N'@p0 varchar(50)',@p0='sysusers''; drop database Northwind; --'