c***@gmail.com
2013-05-31 08:01:29 UTC
Hi!
I have written a stored procedure which usese a scalar-function and I am not sure if this is maybe vulnerable for SQL-Injection. I think it isn't vulnerable, because I only pass the string-parameter, but as I already said, I am not sure about that.
Thank you in advance,
Christian
Here is the code of the SP:
CREATE PROCEDURE [dbo].[GetStandbelegung]
@FromYear int,
@ToYear int,
@SummaryTaskPattern nvarchar(255)
AS
BEGIN
SET NOCOUNT ON;
SELECT R.ResourceName Resource, A.AssignmentStartDate [From], A.AssignmentFinishDate [To], P.ProjectName Project, dbo.GetAssociatedSummaryTaskName(T.TaskUID, @SummaryTaskPattern) Vehicle
FROM dbo.MSP_EpmAssignment A INNER JOIN
dbo.MSP_EpmTask T ON A.TaskUID = T.TaskUID INNER JOIN
dbo.MSP_EpmProject_UserView P ON A.ProjectUID = P.ProjectUID INNER JOIN
dbo.MSP_EpmResource_UserView R ON A.ResourceUID = R.ResourceUID
WHERE P.Projektabteilungen = 'ABC' AND
R.Ressourcenabteilungen IN ('DEF', 'GHI') AND (
YEAR(T.TaskStartDate) >= @FromYear AND YEAR(T.TaskStartDate) <= @ToYear OR
YEAR(T.TaskFinishDate) >= @FromYear AND YEAR(T.TaskFinishDate) <= @ToYear)
ORDER BY R.ResourceName, A.AssignmentStartDate, P.ProjectName, Vehicle
END
And here is the code of the funtction, which the parameter is passed to:
CREATE FUNCTION [dbo].[GetAssociatedSummaryTaskName]
(
@TaskUID uniqueidentifier,
@SummaryTaskPattern nvarchar(255)
)
RETURNS nvarchar(255)
AS
BEGIN
DECLARE @myTaskUID uniqueidentifier,
@ParentUID uniqueidentifier,
@ParentName nvarchar(255),
@DebugString nvarchar(1000)
SET @myTaskUID = @TaskUID
WHILE (1 = 1) --always true, we want DO-WHILE-behaviour
BEGIN
SELECT @myTaskUID = T1.TaskUID, @ParentUID = T2.TaskUID, @ParentName = T2.TaskName
FROM dbo.MSP_EpmTask T1 INNER JOIN dbo.MSP_EpmTask T2 ON T1.TaskParentUID = T2.TaskUID AND T1.ProjectUID = T2.ProjectUID
WHERE T1.TaskUID = @myTaskUID
IF (@@ROWCOUNT = 0)
BEGIN
SET @ParentName = 'ERROR: unexpected zero RowCount!'
BREAK
END
ELSE IF (@myTaskUID = @ParentUID) -- ProjectSummaryTask found, have to break
BEGIN
SET @ParentName = 'ERROR: no matching SummaryTask found!'
BREAK
END
ELSE IF (@ParentName LIKE @SummaryTaskPattern) -- Matching SummaryTask found
BREAK
ELSE
SET @myTaskUID = @ParentUID
END
RETURN @ParentName
END
I have written a stored procedure which usese a scalar-function and I am not sure if this is maybe vulnerable for SQL-Injection. I think it isn't vulnerable, because I only pass the string-parameter, but as I already said, I am not sure about that.
Thank you in advance,
Christian
Here is the code of the SP:
CREATE PROCEDURE [dbo].[GetStandbelegung]
@FromYear int,
@ToYear int,
@SummaryTaskPattern nvarchar(255)
AS
BEGIN
SET NOCOUNT ON;
SELECT R.ResourceName Resource, A.AssignmentStartDate [From], A.AssignmentFinishDate [To], P.ProjectName Project, dbo.GetAssociatedSummaryTaskName(T.TaskUID, @SummaryTaskPattern) Vehicle
FROM dbo.MSP_EpmAssignment A INNER JOIN
dbo.MSP_EpmTask T ON A.TaskUID = T.TaskUID INNER JOIN
dbo.MSP_EpmProject_UserView P ON A.ProjectUID = P.ProjectUID INNER JOIN
dbo.MSP_EpmResource_UserView R ON A.ResourceUID = R.ResourceUID
WHERE P.Projektabteilungen = 'ABC' AND
R.Ressourcenabteilungen IN ('DEF', 'GHI') AND (
YEAR(T.TaskStartDate) >= @FromYear AND YEAR(T.TaskStartDate) <= @ToYear OR
YEAR(T.TaskFinishDate) >= @FromYear AND YEAR(T.TaskFinishDate) <= @ToYear)
ORDER BY R.ResourceName, A.AssignmentStartDate, P.ProjectName, Vehicle
END
And here is the code of the funtction, which the parameter is passed to:
CREATE FUNCTION [dbo].[GetAssociatedSummaryTaskName]
(
@TaskUID uniqueidentifier,
@SummaryTaskPattern nvarchar(255)
)
RETURNS nvarchar(255)
AS
BEGIN
DECLARE @myTaskUID uniqueidentifier,
@ParentUID uniqueidentifier,
@ParentName nvarchar(255),
@DebugString nvarchar(1000)
SET @myTaskUID = @TaskUID
WHILE (1 = 1) --always true, we want DO-WHILE-behaviour
BEGIN
SELECT @myTaskUID = T1.TaskUID, @ParentUID = T2.TaskUID, @ParentName = T2.TaskName
FROM dbo.MSP_EpmTask T1 INNER JOIN dbo.MSP_EpmTask T2 ON T1.TaskParentUID = T2.TaskUID AND T1.ProjectUID = T2.ProjectUID
WHERE T1.TaskUID = @myTaskUID
IF (@@ROWCOUNT = 0)
BEGIN
SET @ParentName = 'ERROR: unexpected zero RowCount!'
BREAK
END
ELSE IF (@myTaskUID = @ParentUID) -- ProjectSummaryTask found, have to break
BEGIN
SET @ParentName = 'ERROR: no matching SummaryTask found!'
BREAK
END
ELSE IF (@ParentName LIKE @SummaryTaskPattern) -- Matching SummaryTask found
BREAK
ELSE
SET @myTaskUID = @ParentUID
END
RETURN @ParentName
END