Powered by GitBook

SQL Injection

◎ =

DECLARE @PARA NVARCHAR(MAX) = '@A1 NVARCHAR(MAX)';
DECLARE @SQL NVARCHAR(MAX) = 'SELECT * FROM Employees WHERE TitleOfCourtesy = @A1 ';
EXEC sys.sp_executesql @SQL, @PARA, @A1 = 'Mr.';

◎ LIKE

DECLARE @PARA NVARCHAR(MAX) = '@A1 NVARCHAR(MAX)';
DECLARE @SQL NVARCHAR(MAX) = 'SELECT * FROM Employees WHERE TitleOfCourtesy LIKE ''%''+@A1+''%'' ';
EXEC sys.sp_executesql @SQL, @PARA, @A1 = 'Mr.';

◎ IN

DECLARE @PARA NVARCHAR(MAX) = '@A1 NVARCHAR(MAX)';
DECLARE @SQL NVARCHAR(MAX) = 'SELECT * FROM Employees WHERE TitleOfCourtesy IN (@A1) ';
EXEC sys.sp_executesql @SQL, @PARA, @A1 = 'Mr.';

results matching ""

No results matching ""