Stored Procedures and SQL Injections

time to read 2 min | 211 words

Related to the previous post, I present you a simple SP that is highly vulnerable to SQL injections, and is directly related to my statement about evil sadistics bastards.

ALTER

PROCEDURE GetDataForDate
   @date
DATETIME
AS
  
DECLARE @sql nvarchar(max)
  
SET @sql = 'select * from data_' + convert(nvarchar(30),getdate(),112)
   
EXEC sp_executesql @sql

I think you can deduct what the rest of the system looked like, and what fun it was optimizing the reports that run over data gathered for years.