Re: Is it possible to sql inject this code?



The 'sp_' prefix may work for user procs but it should not be used. Below
is an excerpt from the SQL 2000 Books Online:

<Excerpt href="createdb.chm::/cm_8_des_07_7yw5.htm">

It is strongly recommended that you do not create any stored procedures
using sp_ as a prefix. SQL Server always looks for a stored procedure
beginning with sp_ in this order:

1. The stored procedure in the master database.

2. The stored procedure based on any qualifiers provided (database name or
owner).

3. The stored procedure using dbo as the owner, if one is not specified.

Therefore, although the user-created stored procedure prefixed with sp_ may
exist in the current database, the master database is always checked first,
even if the stored procedure is qualified with the database name.

Important If any user-created stored procedure has the same name as a
system stored procedure, the user-created stored procedure will never be
executed.

</Excerpt>



--
Hope this helps.

Dan Guzman
SQL Server MVP

"Dixon" <vijaydixon@xxxxxxxxx> wrote in message
news:1137998938.536568.195380@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> It works fine even if u use sp_ no problem in SQL Server 2000
>


.



Relevant Pages

  • Re: Creating a database
    ... Please do yourself a favor, find a local user group, or buy a beginning book on SQL Server or take a class, you will save yourself a great deal of pain in the long run. ... CREATE DATABASE Products ... I can create a stored procedure from within the Server Explorer and from ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Help with SQL 2005 and Sourcesafe 6
    ... I understand where you're coming from but if you open up the .sql script ... stored procedure in the database that it belongs to. ...
    (microsoft.public.sqlserver.tools)
  • Re: Ad Hoc Query in C#
    ... I always like to put as much logic in the database as possible, ... tradeoff is the programmer cannot see what is going on in the database. ... or just parameterize his string sql query. ... > Putting logic like this in a stored procedure isn't alway to my liking ...
    (microsoft.public.dotnet.general)
  • Re: Alternative to Dynamic SQL?
    ... If security is that much of a concern, shutdown your sql ... each database is suppose to have an application ... search querying using stored procedure and found it invalid. ... dynamic SQL, modern database engines actually cache dynamic sql and ...
    (microsoft.public.sqlserver.programming)
  • Re: Views vs Stored Procedures, whats the difference?
    ... I hope you are not suggesting you embed SQL queries into the application? ... A stored procedure logic will be exactly as fast as the algorithm you ... I understant that SQL Server supports hints. ... implementations (nestedloop, merge, hash, ..) on decent sized tables, then ...
    (comp.databases.ms-sqlserver)