Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

sql stored proc with dynamic sql

Posted on 2008-06-12
4
Medium Priority
?
412 Views
Last Modified: 2008-08-29
I am running a stored procedure in which i am creating the query in a variable @query by checking some input variables and then exceuting the query by execute(@query).I know these type has more chances to sql injection,but in my case i don't have any other options.I came to know that using paremeterized inputs for creating this query would reduce the risk of sql injection in these dynamic query stored proc.Can anyone show me an example of using parametrized inputs for dynamic query.
0
Comment
Question by:rathiagu
  • 2
4 Comments
 
LVL 60

Accepted Solution

by:
chapmandew earned 500 total points
ID: 21770352
Sure...

create proc mydynamicproc
(
@tablename nvarchar(255),
@whereclause nvarchar(255)
)
as
begin
declare @sql nvarchar(2000)
set @sql = 'SELECT * FROM ' + @tablename + ' WHERE ' + @whereclause

exec sp_executesql @sql
end
0
 
LVL 51

Expert Comment

by:Mark Wills
ID: 21774556
Just to add a couple of qualifiers to the above.... putting the "bits' on a new line and the where in brackets and extending the criteria prevents the inclusion of a terminated "where" (ie a semicolon, or commented) with a new 'command' being the injection - the @sql statement will fail. But there are still more techniques for sql injection...

Is this on the right track ?


create proc mydynamicproc (@columns varchar(2000),@tablename varchar(2000), @whereclause varchar(2000))
as
begin
declare @sql varchar(8000)

set @sql = 'SELECT
'+ @columns +'
FROM
' + @tablename + '
WHERE
(' + @whereclause +')
AND (1=1)'

exec (@sql)
end
0
 

Author Comment

by:rathiagu
ID: 21816338
Thank U chapmandew and mark wills
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21816370
you're welcome...
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes has been used since a very long time as an e-mail client and is very popular because of it's unmatched security. In this article we are going to learn about  RRV Bucket corruption and understand various methods to Fix "RRV Bucket Corrupt…
Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question