July 7, 2009 at 2:59 am
Hi all,
I've doing some bench marking on a server and I just wanted to check something. Our application is making requests to the database server and SQL profiler see's these as "exec sp_execute" commands.
Now I dont know exactly how the code is calling what ever it's calling, however I just wanted to check that I am correct in assuming that the execution of "exec sp_execute" will effectively be treated as dynamic SQL?
Any help would be great.
Thanks,
Jackal
July 7, 2009 at 10:35 am
I've used sp_executesql but not sp_execute. The former provides for safe use of parameter specifiers for building injection-proof dynamic SQL. Maybe the latter is an application specific stored procedure.
The probability of survival is inversely proportional to the angle of arrival.
July 7, 2009 at 11:58 am
First injection proof is not accurate, injection resistant *maybe*. sp_execute is an extended stored procedure doing basically the same thing as EXEC ( 'some sql command' ) or sp_executesql. It is executing dynamic SQL.
Now the bigger question is whether your application calls any stored procedures or just executes endless dynamic sql against the DB.
CEWII
July 7, 2009 at 12:07 pm
'proof' was probably too strong a word. (The only injection proof server is one with no connections. lol)
The probability of survival is inversely proportional to the angle of arrival.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply