Is this SP safe to SQL Injection?

CREATE PROCEDURE [sp_Test] (
     @param nvarchar(Max)
) AS BEGIN

DECLARE @Output nvarchar(Max) = 
N’Select ‘ + @param

Select @output
Return

Intended Use

exec sp_test ‘5’

Returns “select 5”

Malicious Use

exec sp_test ‘5; drop database’

Returns(would be safe):
“select 5; drop database“

—-OR—-

Returns(not safe):
“select 5”
…but also actually dropping the database

MS SQL Server

Go to Source
Author: Donnie