它们并不都是存储过程。特别是一些诸如交叉列表连接之类的东西会产生一些可怕的语法。例如，请查看这篇文章中的 SQL Trace 窗口。此外，由于开发人员可以编写用户控件和 API 调用，因此无法保证在使用自定义模块时不会受到 SQL 注入的影响。

我的猜测是SharePoint始终使用至少命名参数。然而，你最好的选择可能是运行一个SQL跟踪并比较结果。此外，如果你是一个足够大的客户，你可以尝试联系本地的MSFT布道者（或在connect.microsoft.com上发布一个问题），看看是否能得到回应。

Thanks. I looked at the profiler myself and found some things: It looks like SharePoint is only executing stored procedures. There are occasional bits of pure SQL, but these seem to be limited to "exec sp_oledb_ro_usrname" and "select collationname(...)", which appear to be some deep-down internal thing, and possibly are not being executed as SQL at all, but are just coming out in the profiler that way...?

SharePoint有时会使用sp_executesql，但这是一个参数化调用，因此很可能不会受到注入的影响。

There s a number of relatively new blind SQL injection vectors which are based on response delay - for example using WAITFOR DELAY. At least sqlmap and BurpSuite use them (and others probably too).

These vectors however are prone to false positives, because the trigger is, well, HTTP response delay, which may also happen for thousand other reasons if you re scanning over Internet. If you got these over LAN, I would be more suspicious but still investigate other possible delay causes on the server side. Only if you get the delay consistently in a number of independent tried, you are probably dealing with a vulnerability.

Also note that SharePoint often triggers old FrontPage vulnerabilities in many vuln scanners, which are also false positives - for details see this article "SharePoint and FrontPage Server Extensions in security scanner results".