Stored Procedures and SQL Injections
Related to the previous post, I present you a simple SP that is highly vulnerable to SQL injections, and is directly related to my statement about evil sadistics bastards.
ALTER
PROCEDURE GetDataForDate@date DATETIME
AS
DECLARE @sql nvarchar(max)
SET @sql = 'select * from data_' + convert(nvarchar(30),getdate(),112)
EXEC sp_executesql @sql
I think you can deduct what the rest of the system looked like, and what fun it was optimizing the reports that run over data gathered for years.
Comments
Comment preview