November 29, 2021 at 12:00 am
Comments posted to this topic are about the item Creating Markdown Formatted Text for Results from T-SQL
Tomaž Kaštrun | twitter: @tomaz_tsql | Github: https://github.com/tomaztk | blog: https://tomaztsql.wordpress.com/
November 29, 2021 at 9:26 am
when you are working with dynamic SQL and particularly, when it uses varchar-parameters and adds it to the dynamic code, you have always to use QUOTENAME(), otherwise someone could call your procedure with something as @table_name = 'test; drop database xxx; --'.
And even without those code injection there may be users who have strangely named tables / schemas which would not work without square brackets because they start with a number or have spaces in it.
God is real, unless declared integer.
November 30, 2021 at 2:24 am
That's kind of cool. Thanks for the article.
Do you have a link to some formal documentation for what the syntax and possible functionality is for this "markdown" language and how to control what is actually presented on the screen?
Also, I totally agree with what Thomas is saying about SQL Injection above.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 3, 2021 at 4:54 am
Hi,
you can use all the Markdown formatting text for the output. You can try: Basic Syntax | Markdown Guide
I agree with QUOTENAME() function; great remark.
Best
Tomaž Kaštrun | twitter: @tomaz_tsql | Github: https://github.com/tomaztk | blog: https://tomaztsql.wordpress.com/
December 3, 2021 at 7:16 am
Looks a whole lot like good ol' fashioned HTML. Thanks for the link, Tomaz.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply
This website stores cookies on your computer.
These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media.
To find out more about the cookies we use, see our Privacy Policy