Parameters in FormsOf and SQL Injection Functions

Question

Parameters in FormsOf and SQL Injection Functions

Is the next SQL susceptible to SQL injection through the @SearchWord parameter?

I want to use parameters using the FormsOf function, but the only guide for this I found in this question: How to pass the parameter of the FormsOf function to the sql server

However, the solution seems to be using a bit of dynamic SQL, and I was wondering if it was susceptible to SQL injection. What happens in the following example if @searchWord contains a string like SQL injection? Isn't that a problem because it is still in the parameter passed as the FREETEXTTABLE argument?

Decision:

DECLARE @SearchWord nvarchar(max)
SET @SearchWord = 'tax'

DECLARE @SearchString nvarchar(max)
SET @SearchString = 'FormsOf(INFLECTIONAL, "' + @SearchWord + '")'

SELECT listing_id, RANK, name, address, city, zip, heading, phone 
FROM listings a, 
FREETEXTTABLE(listings, *, @SearchString)
WHERE [KEY] = a.listing_id
ORDER BY RANK DESC, name

+1

sql-injection tsql full-text-search formsof

Andrew M Feb 01 '10 at 12:00

source share

2

, , @SearchString . @SearchString , FREETEXTTABLE, - , .

+1

egrunin 07 . '10 14:56

Aaronaught · Accepted Answer · 2010-04-07T15:03:19+0000

, . SQL ( EXEC, sp_executesql), SQL-.

SQL-, , ( @SearchWord), SQL. , SQL.

, fail, "" , , , , , @SearchWord. SQL.

Parameters in FormsOf and SQL Injection Functions

More articles: