Concatenating Date Values - SQL Injection

Posted by Kyle Rozendo on Stack Overflow See other posts from Stack Overflow or by Kyle Rozendo
Published on 2010-04-12T11:39:42Z Indexed on 2010/04/12 11:43 UTC
Read the original article Hit count: 720

Hi All,

We currently receive parameters of values as VARCHAR's, and then build a date from them. I am wanting to confirm that the method would stop the possibility of SQL injection from this statement:

select CONVERT(datetime, '2010' + '-' + '02' + '-' + '21' + ' ' + '15:11:38.990')

Another note is that the actual parameters being passed through to the stored proc are length bound at (4, 2, 2, 10, 12) in correspondence to the above.

Thanks a ton,

Kyle

© Stack Overflow or respective owner

Related posts about tsql

Related posts about sql-injection