I have a full text search sproc which accepts a string as a parameter i.e. @term nvarchar(120)
I then have to do this within the sproc:
declare @searchPhrase nvarchar(150)
set @searchPhrase = ' ' ' ISABOUT(" ' + @term + ' " ' ' '
then I use this within the procedure:
INNER JOIN FREETEXTTABLE(product, [productname], @searchPhrase) as key_tbl
Now, the sproc is fast, but I was wondering if wrapping the isabout bit etc around the @term parameter before using is a security risk?
I have run some tests by doing attempted sql injections and looking at profiler and it seems that the input is always being treated as literal - i.e. no risk, but I'm not a sql injection expert so was wondering if this design poses a sql injection risk? The only other option I have would be to run the whole thing as dynamic sql and use sp_executesql....which I would rather avoid.
Thanks,
Matt