Re: Is it possible to sql inject this code?



The 'sp_' prefix may work for user procs but it should not be used. Below
is an excerpt from the SQL 2000 Books Online:

<Excerpt href="createdb.chm::/cm_8_des_07_7yw5.htm">

It is strongly recommended that you do not create any stored procedures
using sp_ as a prefix. SQL Server always looks for a stored procedure
beginning with sp_ in this order:

1. The stored procedure in the master database.

2. The stored procedure based on any qualifiers provided (database name or
owner).

3. The stored procedure using dbo as the owner, if one is not specified.

Therefore, although the user-created stored procedure prefixed with sp_ may
exist in the current database, the master database is always checked first,
even if the stored procedure is qualified with the database name.

Important If any user-created stored procedure has the same name as a
system stored procedure, the user-created stored procedure will never be
executed.

</Excerpt>



--
Hope this helps.

Dan Guzman
SQL Server MVP

"Dixon" <vijaydixon@xxxxxxxxx> wrote in message
news:1137998938.536568.195380@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> It works fine even if u use sp_ no problem in SQL Server 2000
>


.