6> DECLARE @sql AS NVARCHAR(4000),
7> @b AS VARBINARY(1000), @s AS VARCHAR(2002);
8> SET @s = '0x0123456789abcdef';
9>
10> IF @s NOT LIKE '0x%' OR @s LIKE '0x%[^0-9a-fA-F]%'
11> BEGIN
12> RAISERROR('Possible SQL Injection attempt.', 16, 1);
13> RETURN;
14> END
15>
16> SET @sql = N'SET @o = ' + @s + N';';
17> EXEC sp_executesql
18> @stmt = @sql,
19> @params = N'@o AS VARBINARY(1000) OUTPUT',
20> @o = @b OUTPUT;
21>
22> SELECT @b;
23> GO
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
0x0123456789ABCDEF
1>
2>
|