0

I want to have inserted data in stored procedure, because of of sql injection I use prepare and execute statement.

what should I've done to have the inserted data

following code is only a part of user table

DELIMITER ;;
CREATE PROCEDURE `UserCreate`
(
    IN `@Name`      VARCHAR(32)
)
BEGIN
    SET @Query = CONCAT
    (
        'INSERT INTO
            User
            (
                Name      
            VALUES
            ('
                , '\'' , `@Name` , '\','
            ')'
    );

    PREPARE Statement FROM @Query;
    EXECUTE Statement;
    DEALLOCATE PREPARE Statement;

END ;;
DELIMITER ;
  • I use Binary uuid for having more security
Improve this question

1 Answer 1

Reset to default
1

  • That's not using "prepare" to do the escaping. Put the IN parameter in the EXECUTE.

  • Please don't name parameters with @ -- it is too confusing with @variables. I like to prefix in args with _.

  • A UUID is 36 characters; The binary equivalent is BINARY(16). Your VARCHAR(32) does not agree with "I use Binary uuid for having more security".

Improve this answer
1
  • Thanks for your help and great response, It helped me a lot, sorry for my delay to make it verified answer Commented Jun 23, 2022 at 9:14

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.