Concatenating Date Values - SQL Injection
Posted
by Kyle Rozendo
on Stack Overflow
See other posts from Stack Overflow
or by Kyle Rozendo
Published on 2010-04-12T11:39:42Z
Indexed on
2010/04/12
11:43 UTC
Read the original article
Hit count: 720
Hi All,
We currently receive parameters of values as VARCHAR
's, and then build a date from them. I am wanting to confirm that the method would stop the possibility of SQL injection from this statement:
select CONVERT(datetime, '2010' + '-' + '02' + '-' + '21' + ' ' + '15:11:38.990')
Another note is that the actual parameters being passed through to the stored proc are length bound at (4, 2, 2, 10, 12)
in correspondence to the above.
Thanks a ton,
Kyle
© Stack Overflow or respective owner