Solved

sql stored proc with dynamic sql

Posted on 2008-06-12
4
396 Views
Last Modified: 2008-08-29
I am running a stored procedure in which i am creating the query in a variable @query by checking some input variables and then exceuting the query by execute(@query).I know these type has more chances to sql injection,but in my case i don't have any other options.I came to know that using paremeterized inputs for creating this query would reduce the risk of sql injection in these dynamic query stored proc.Can anyone show me an example of using parametrized inputs for dynamic query.
0
Comment
Question by:rathiagu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 60

Accepted Solution

by:
chapmandew earned 125 total points
ID: 21770352
Sure...

create proc mydynamicproc
(
@tablename nvarchar(255),
@whereclause nvarchar(255)
)
as
begin
declare @sql nvarchar(2000)
set @sql = 'SELECT * FROM ' + @tablename + ' WHERE ' + @whereclause

exec sp_executesql @sql
end
0
 
LVL 51

Expert Comment

by:Mark Wills
ID: 21774556
Just to add a couple of qualifiers to the above.... putting the "bits' on a new line and the where in brackets and extending the criteria prevents the inclusion of a terminated "where" (ie a semicolon, or commented) with a new 'command' being the injection - the @sql statement will fail. But there are still more techniques for sql injection...

Is this on the right track ?


create proc mydynamicproc (@columns varchar(2000),@tablename varchar(2000), @whereclause varchar(2000))
as
begin
declare @sql varchar(8000)

set @sql = 'SELECT
'+ @columns +'
FROM
' + @tablename + '
WHERE
(' + @whereclause +')
AND (1=1)'

exec (@sql)
end
0
 

Author Comment

by:rathiagu
ID: 21816338
Thank U chapmandew and mark wills
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21816370
you're welcome...
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question