Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Prob with FAQ: Checking for SQL injection

Status
Not open for further replies.
Creto

Creto

Programmer
Aug 31, 2004
90
US
Regarding:
I set up the sp stated first in the first part with no problems. However, when I try creating the second sp, I'm getting syntax errors.

Code: 
CREATE PROCEDURE spNewAnswer
 --String data that will become part of dynamic SQL statement.
   @UserInput1 AS varchar(8000),
   @UserInput2 AS varchar(8000),
   @wAnswer varchar(255)
AS
   DECLARE @BadKeywords AS varchar(8000)
   --Be sure to place a space between each parameter to be tested.
  EXEC spInjectionAttack 
      @UserInput1 + ' ' +  @UserInput2,
      @BadKeywords OUTPUT
   IF Len(@BadKeywords)>0 BEGIN
     RAISEERROR ('Possible SQL injection attack:'
         +Char(13)+@BadKeywords,15,-1)
      RETURN
   END

DECLARE @KEY int
INSERT INTO tblSurveyAnswers (svaAnswers)
	VALUES
		(
		@wAnswer
		)
SELECT @KEY = @@IDENTITY
SELECT svaUID, svaAnswers from tblSurveyAnswers WHERE svaUID = @KEY

GO

This is the error I get

Error 170: Line 10: Incorrect syntax near '+'.
Line 13: Incorrect syntax near 'RAISEERROR'.

I can't figure out why it's erroring out on the concatenation.
 
Sort by date Sort by votes
raiserror expects string/variable, not expression. Use variable to compose error message:
Code: 
declare @foo varchar( some_length )
...

IF Len(@BadKeywords)>0 BEGIN
	set @foo = 'Possible SQL injection attack:' +Char(13)+@BadKeywords
	RAISEERROR ( @foo,15,-1)
	RETURN
END
 
Upvote 0 Downvote
raiserror with one "e"... plus it is possible you'll have to prepare EXEC string the same way.
 
Upvote 0 Downvote
BTW, please do not use @@identity. Use scope_identity() instead. The reason is that if you ever put a trigger on the table you are refernceing which in turn inserts a record to a table with an identity field, you will get the second identity not the first returned from @@identity.

Questions about posting. See faq183-874
 
Upvote 0 Downvote
Found the issue. Turns out the server was set to set a string to null when a string is concatenated with null.

Thanks for the ideas.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MathiasB
  • Locked
  • Question
Parameterised sql server query
Replies
8
Views
507
Chriss Miller
C
gbaughma
  • Locked
  • Question
SQL Performance
Replies
11
Views
1K
pjw001
pjw001
Steve Yu
  • Locked
  • Question
How secure is MS SQL on the Internet vs behind firewall inside a LAN 1
Replies
3
Views
625
Chris Miller
Chris Miller
V
  • Locked
  • Question
xp_cmdshell vs psexec - this SQL server forgets credential to an W10 share
Replies
0
Views
813
Volvere
V
elly00
  • Locked
  • Question
create sql view using batch file
Replies
5
Views
713
Mike Lewis
Mike Lewis

Part and Inventory Search

Sponsor

Back
Top