Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Matt2k9
Starting Member
10 Posts |
 Posted - 2008-09-29 : 10:37:07
|
| I have a full text search sproc which accepts a string as a parameter i.e. @term nvarchar(120)I then have to do this within the sproc:declare @searchPhrase nvarchar(150)set @searchPhrase = ' ' ' ISABOUT(" ' + @term + ' " ' ' ' then I use this within the procedure: INNER JOIN FREETEXTTABLE(product, [productname], @searchPhrase) as key_tbl Now, the sproc is fast, but I was wondering if wrapping the isabout bit etc around the @term parameter before using is a security risk? I have run some tests by doing attempted sql injections and looking at profiler and it seems that the input is always being treated as literal - i.e. no risk, but I'm not a sql injection expert so was wondering if this design poses a sql injection risk? The only other option I have would be to run the whole thing as dynamic sql and use sp_executesql....which I would rather avoid.Thanks,Matt |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-09-29 : 10:59:23
|
No, you are not at risk for sql injection here, because the FREETEXTTABLE function accepts the userdefined string as parameters only.Unless your whole INNER JOIN statement is dynamic sql?
E 12°55'05.63"N 56°04'39.26" |
 |
|
|
Matt2k9
Starting Member
10 Posts |
Posted - 2008-09-29 : 11:25:47
|
| That's good. No, I don't execute any dynamic sql using exec or sp_executesql, I just have: '''isabout(" ' + @term @ ' " ''' being set into @searchPhrase and @searchPhrase is then used in the inner join. Thanks. |
|
|
|
|
|
|
is this a sql injection risk?