SSRS 2008 R2 I am trying to prevent reports I write from being vulneralbe to SQL injection attacks. To that end I wrote a very simple report and attempted to do attack it. My Query: select 'Test' as Test where 1 = 2 and 'test' = @test I have a table that displays the column test on my report. From my understanding if I set @test = '' or 1=1 then I should get back a record. However It allways comes back blank. What am I doing wrong?

First, sql generally uses single quotes as string delimiter. Second, I do think parameters are safe for sql injection if you use them directly in a query with @paramName. (Not 100% sure) You will be vulknerable if you generate dynamic SQL in a stored procedure using directly the value of a param. Like in that case, if you have a stored procedure doing something like SET @sql = ' Select * from Table where name = ''' + @param + ''' ' If param contains single quotes, it will make you query have a syntax error. If you add some sql after the ', it will be executed if you don't do any syntax errors. edit : And to stop the vulnerability in dynamic, you must replace all single quotes in your parameters for 2 single quotes.

Thanks Alex, I actually had two single quotes in my example not a double quote. Are you saying that to the best of your knowledge the query I provided is safe from an attack?

I think so. But you could to change your query to make sure it is not interpreted as select 'Test' as Test where 1 = 2 and ('test' = '' or 1=1) You could write it like select 'Test' as Test where 'test' = @test Which would be interpreted as select 'Test' as Test where 'test' = '' or 1=1 if it is weak to sql injection!