SQL Injection : Parameterization Code Review

In c# code it is possible to call SQL commands using the SqlCommand object like below: string selectString = @”select MyColumn from Mytable where MyOtherColumn = ” + value; SqlCommand cmd = new SqlCommand(); cmd.CommandText = selectString; cmd.Connection = conn; cmd.ExecuteReader(); The¬†code above¬†should be using parameterized statements or stored procedures. A parameterized statement is shown […]


This review is around the misue of EXECUTE\EXEC\SP_EXECUTE in stored procedures. To find the at risk stored procedures run the query below: SELECT DISTINCT o.name AS Object_Name, o.type_desc FROM sys.sql_modules m INNER JOIN sys.objects o ON m.object_id = o.object_id WHERE m.definition Like ‘%exec%’; Then scan the contents of anything returned. 95% will be eliminated with […]