Y
Hacker News
new
|
ask
|
show
|
jobs
by
foobarbaz33
922 days ago
> doesn't allow SQL injection
Here's an injection vulnerable stored proc call.
string badSql = "exec fooProc " + arg;
User input need to be parameterized whether you are calling a stored proc or not.