November 29, 2021 at 12:00 am
Comments posted to this topic are about the item Creating Markdown Formatted Text for Results from T-SQL
Tomaž Kaštrun | twitter: @tomaz_tsql | Github: https://github.com/tomaztk | blog: https://tomaztsql.wordpress.com/
November 29, 2021 at 9:26 am
when you are working with dynamic SQL and particularly, when it uses varchar-parameters and adds it to the dynamic code, you have always to use QUOTENAME(), otherwise someone could call your procedure with something as @table_name = 'test; drop database xxx; --'.
And even without those code injection there may be users who have strangely named tables / schemas which would not work without square brackets because they start with a number or have spaces in it.
God is real, unless declared integer.
November 30, 2021 at 2:24 am
That's kind of cool. Thanks for the article.
Do you have a link to some formal documentation for what the syntax and possible functionality is for this "markdown" language and how to control what is actually presented on the screen?
Also, I totally agree with what Thomas is saying about SQL Injection above.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 3, 2021 at 4:54 am
Hi,
you can use all the Markdown formatting text for the output. You can try: Basic Syntax | Markdown Guide
I agree with QUOTENAME() function; great remark.
Best
Tomaž Kaštrun | twitter: @tomaz_tsql | Github: https://github.com/tomaztk | blog: https://tomaztsql.wordpress.com/
December 3, 2021 at 7:16 am
Looks a whole lot like good ol' fashioned HTML. Thanks for the link, Tomaz.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply