Trying to understand dynamic query / value in stored procedure. Can someone direct me to a good article that explains how sql injection / other potential risks are possible in stored procedures.
For example, this is a simple SP - is this the right way to write dynamic query in SP?
SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE PROCEDURE [dbo].[spx_test] @year NVARCHAR(4) AS DECLARE @DBName NVARCHAR(10), @sql NVARCHAR(4000) BEGIN SET @DBName ='DB_XYZ'+@year SET @sql = 'SELECT COUNT(*) FROM '+@DBNAME+'.dbo.TBL_ABC;' EXECUTE sp_executesql @sql END GO
I think this is pretty restrictive, correct? The SP is expecting only 4 characters (for example, 2015). Is it still possible to insert any malicious codes within that?
Thanks.