Vlad Drumea fixes a procedure:
In the past few years, I’ve seen quite a few stored procedures that rely on dynamic T-SQL without properly guarding for SQL injection.
Some cases were reporting stored procedures, while others were maintenance type stored procedures (e.g. stats updates) that could be kicked off from the app, or even stored procedures that handled app upgrades/patching.
In all these cases, certain portions of the dynamic T-SQL relied on input provided by users via input parameters.
Read on for an example. The solution is still the classic combination of QUOTENAME() and sp_execute_sql whenever you have user input.