Parameters in the FormsOf function and SQL injection

Question

Is the following SQL susceptible to SQL injection via the @SearchWord parameter?

I want to use parameters with the FormsOf function, but the only guide to doing so I've found is in this Stack Overflow question: http://stackoverflow.com/questions/1362220/how-to-pass-parameter-to-formsof-function-in-sql-server

However the solution seems to be to use a bit of dynamic SQL, and I was wondering if that would be susceptible to SQL injection. What would happen in the following example if @searchWord contained a SQL injection type string? Is it not a problem because it's still within a parameter, passed as an argument to FREETEXTTABLE?

The solution given is:

DECLARE @SearchWord nvarchar(max)
SET @SearchWord = 'tax'

DECLARE @SearchString nvarchar(max)
SET @SearchString = 'FormsOf(INFLECTIONAL, "' + @SearchWord + '")'

SELECT listing_id, RANK, name, address, city, zip, heading, phone 
FROM listings a, 
FREETEXTTABLE(listings, *, @SearchString)
WHERE [KEY] = a.listing_id
ORDER BY RANK DESC, name

Answer 1

I haven't tested this, but I don't think the interpreter is simply pasting the value of @SearchString into the statement. It should parse @SearchString using the rules that FREETEXTTABLE expects--that's the way other parameters work.

Answer 2

No, it's not susceptible. There's no dynamic SQL here (that would require either using EXEC or sp_executesql), so there's no vector for SQL injection.

In order for a SQL injection vulnerability to exist, the user-supplied string (in this case @SearchWord) must actually be inserted directly into the text of the SQL statement. Here, it's only being used to construct another string variable, which is subsequently used as a parameter to another SQL statement.

This statement can, however, fail if the user inputs an "invalid" search word, i.e. one containing single quotes, so you should probably still escape whatever value is passed to @SearchWord. But it cannot be used to execute arbitrary SQL.