Sql injection on stored procedure

I am trying to do sql injection on my stored procedure through login form. Here is my stored procedure

CREATE proc [dbo].[sp_ADM_Login] 
    @loginName varchar(25),
    @password varchar(100)
)

AS

select
    l.LoginId,
    l.LoginName,
    l.LoginType,
    l.RG_cCode,
    dbo.GetUserName(l.UserDetailsCode, l.LoginType) as [Name],
    isnull(l.DefBranchId, 0) as BranchId,
l.DefBranchCode as branchCode,
l.LoginCode as loginCode
from   
    ADM_Login l 
where  
    LoginName = @loginName and
    [Password] = @password and
    l.IsActive = 1

I tried giving user name to user' or 1=1-- But it doesn't work. Is it possible to do sql injection in this code?

To executing store procedure, Here is C# code

Database db = DatabaseFactory.CreateDatabase("ConnectionString");
    DbCommand cmd = db.GetStoredProcCommand("sp_ADM_Login");
    db.AddInParameter(cmd, "@loginName", DbType.String, loginName);
    db.AddInParameter(cmd, "@password", DbType.String, password);
    DbDataReader dr = (DbDataReader)db.ExecuteReader(cmd);

Answers


No, it isn't possible to do SQL injection with properly parameterized qeuries, as long as you call them from your C# code with parameters. If you format an EXEC sp_ADM_login... SQL string by yourself you are vulnerable.

With the C# code using proper parameters as you do you are totally safe. Any strange values will be properly escaped.


Need Your Help

Forgot Password issue in Laravel Eloquent

php laravel hash laravel-4

Here i get the username in the forgot password option and i am trying to change the password (Custom way temporarily - Don't mind about it)

Can I get the iOS Startup Notification after the application has started?

ios objective-c notifications startup launch

I'm looking for a way to retrieve the UIApplicationLaunchOptionsLocalNotificationKey on iOS that doesn't involve using the application delegate, i.e. I don't want to have to implement the following...

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.