I saw some similar question, none about mysql...
Is there any way to do a sql injection into a SP?
How do I protect from this on the SP level?
In other words, can the Query strucutre, inside a SP can be modified in any way by an incoming parameter?
If I send to a stored procedure the parameter "1;DELETE FROM users;--"
and the query is:
select *
from T
where = @p
On
Yes,It is possible,if you use dynamic query in your stored procedures, use prepare insted of concat statement. It will be more safe.and it will be like this when making the sql query.
DELIMITER //
CREATE PROCEDURE `Test`(in input_condition varchar(200))
begin
set @text_query = ' select * from tb_name where name like ?';
prepare stream_query from @text_query;
execute stream_query using input_condition;
END //
DELIMITER ;
SQL injection is, basically, adding extra code to the query. The attack itself occurs because the server parses the input data as SQL code and executes it accordingly. You cannot protect from it on the SP level, because when the execution gets to the procedure, the attack has already succeeded.
So as long as you construct your queries as text, SQL injection is possible regardless of what the text of the query is. And if you don't, or if you properly sanitize your input, then again, SQL injection shouldn't be a problem, whether it's SELECT or something else.