Scovetta, Michael V wrote:
At least in MSSQL, you'd have to do something bad like use sp_executesql or some other function that will re-form a complete sql query and pass that to the interpreter. As long as you do more sensible stuff like: insert into table (name, age) values (@b, @a) you should be fine.
Except that I've seen webbie-type people who will execute a stored proc by doing:
strSQL = "exec userLogin " + userName + " " + userPasswordwhich would be still be subject to a SQL Injection attack if I simply had a semicolon in the userPassword and then was able to pass any other query to it.
Cory