个人认为 如果存储过程中 用动态SQL语句 拼接查询 还是有注入的可能!!eg:create table A ( T1 int ) insert A select 1 create proc P_Test(@T_sql nvarchar(3000)) as declare @Sql nvarchar(1000) set @Sql='select * from A where T1=' + @T_sql exec (@Sql)exec P_Test '1'exec P_Test '2 or 1=1'
如果存储过程中 用动态SQL语句 拼接查询 还是有注入的可能!!eg:create table A
(
T1 int
)
insert A select 1
create proc P_Test(@T_sql nvarchar(3000))
as
declare @Sql nvarchar(1000)
set @Sql='select * from A where T1=' + @T_sql
exec (@Sql)exec P_Test '1'exec P_Test '2 or 1=1'