February 5, 2013 at 3:01 pm
Antony Symonds (2/5/2013)
Is dynamic SQL bad in general or just when it opens up this sort of a security hole allowing for the SQL to fully specified or at least the table?
Dynamic sql is very powerful and is sometimes the best way to accomplish something. In the case of this it is more dangerous because of the possibility of sql injection.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
February 6, 2013 at 1:54 am
Sean Lange (2/5/2013)
Antony Symonds (2/5/2013)
Is dynamic SQL bad in general or just when it opens up this sort of a security hole allowing for the SQL to fully specified or at least the table?Dynamic sql is very powerful and is sometimes the best way to accomplish something. In the case of this it is more dangerous because of the possibility of sql injection.
Thanks, that is pretty much what I was thinking I just wanted to make sure... I suppose he could put some conditions to test the parameters being sent to make sure its within an acceptable bracket of sql code...
Viewing 2 posts - 16 through 16 (of 16 total)
You must be logged in to reply to this topic. Login to reply