Solved

sql stored proc with dynamic sql

Posted on 2008-06-12
4
371 Views
Last Modified: 2008-08-29
I am running a stored procedure in which i am creating the query in a variable @query by checking some input variables and then exceuting the query by execute(@query).I know these type has more chances to sql injection,but in my case i don't have any other options.I came to know that using paremeterized inputs for creating this query would reduce the risk of sql injection in these dynamic query stored proc.Can anyone show me an example of using parametrized inputs for dynamic query.
0
Comment
Question by:rathiagu
  • 2
4 Comments
 
LVL 60

Accepted Solution

by:
chapmandew earned 125 total points
ID: 21770352
Sure...

create proc mydynamicproc
(
@tablename nvarchar(255),
@whereclause nvarchar(255)
)
as
begin
declare @sql nvarchar(2000)
set @sql = 'SELECT * FROM ' + @tablename + ' WHERE ' + @whereclause

exec sp_executesql @sql
end
0
 
LVL 51

Expert Comment

by:Mark Wills
ID: 21774556
Just to add a couple of qualifiers to the above.... putting the "bits' on a new line and the where in brackets and extending the criteria prevents the inclusion of a terminated "where" (ie a semicolon, or commented) with a new 'command' being the injection - the @sql statement will fail. But there are still more techniques for sql injection...

Is this on the right track ?


create proc mydynamicproc (@columns varchar(2000),@tablename varchar(2000), @whereclause varchar(2000))
as
begin
declare @sql varchar(8000)

set @sql = 'SELECT
'+ @columns +'
FROM
' + @tablename + '
WHERE
(' + @whereclause +')
AND (1=1)'

exec (@sql)
end
0
 

Author Comment

by:rathiagu
ID: 21816338
Thank U chapmandew and mark wills
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21816370
you're welcome...
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sql Permission 6 52
How to get sum of group by column and sum of total values 4 56
DBF to ... Converter 5 43
RDBMS and No sql database 4 46
APEX (Application Express) is used to develop a web application from Oracle. SQL Workshop is one of the tools that comes with Oracle APEX to query or modify the database objects or to make any changes to the structure.
Creating and Managing Databases with phpMyAdmin in cPanel.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now