February 2011 Archives

Protecting Against SQL Injection in Dynamic SQL Statements

February 26, 2011

Microsoft's Books Online article on SQL Injection does a great job of reviewing the possible attacks against dynamic SQL statements (using EXEC or sp_executesql). I won't re-hash their discussion and suggestions. What I offer below is a sample remediation effort for this set of statements (the @Fields and @Values variables are actually stored procedure parameters):

DECLARE @Fields VARCHAR(1000), @VALUES VARCHAR(1000), @SQL NVARCHAR(2500);
SELECT @SQL = 'INSERT INTO MyTable (' + @Fields + ') VALUES (' + @Values + ')';
EXEC(@SQL);
Continue reading Protecting Against SQL Injection in Dynamic SQL Statements | No Comments
« January 2011 | Main Index | Archives | October 2011 »

Search

About this Archive

This page is an archive of entries from February 2011 listed from newest to oldest.

January 2011 is the previous archive.

October 2011 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Categories

Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.12