Add page describing database-layer SQL injection

[zspitz]

The language idioms for avoiding SQL injection which are described here are for use in the application layer -- a programming language / runtime connects to a database server and issues commands, and those commands must not be constructed by concatenating commands and raw user input.

However, if the database system supports it, concatenating input and commands into a new command and executing the new command can also be done on the database side (e.g. within a stored procedure), and is also vulnerable:

CREATE PROCEDURE dbo.GetStudent @FirstName NVARCHAR(255)
AS
BEGIN
    EXECUTE ('SELECT * FROM Students WHERE FirstName = \'' + @FirstName + '\'')
END

because of the following call:

EXECUTE @FirstName = 'Robert\'; DROP TABLE Students; --'