CREATE PROCEDURE [sp_Test] (
@param nvarchar(Max)
) AS BEGIN
DECLARE @Output nvarchar(Max) =
N’Select ‘ + @param
Select @output
Return
Intended Use
exec sp_test ‘5’
Returns “select 5”
Malicious Use
exec sp_test ‘5; drop database’
Returns(would be safe):
“select 5; drop database“
—-OR—-
Returns(not safe):
“select 5”
…but also actually dropping the database
MS SQL Server
Go to Source
Author: Donnie