Examples of SQL injection even when using SQLParameter in .NET?

Question

I heard that SQL Injection can still be possible when using ADO.NET SQLParameter (paramterised query) for SQL Server.

I am looking for real examples in C#/VB code

Answer 1

A specific example...

create procedure dbo.spVulnerable
@firstname varchar(200)
as
exec ('select id from tblPerson where firstname = ''' + @firstname + '''')
go

I might have gotten the syntax wrong but no matter how you parameterize @firstname it is still vulnerable to something like the following:

"Joe' or 1=1"

As long as you use dynamic SQL you are potentially vulnerable to SQL injection. Other than using parameterized SQL, the only solution is to whitelist your input (or, if you're feeling brave, try to strip the input of dangerous characters).