Solved

sql stored proc with dynamic sql

Posted on 2008-06-12
4
379 Views
Last Modified: 2008-08-29
I am running a stored procedure in which i am creating the query in a variable @query by checking some input variables and then exceuting the query by execute(@query).I know these type has more chances to sql injection,but in my case i don't have any other options.I came to know that using paremeterized inputs for creating this query would reduce the risk of sql injection in these dynamic query stored proc.Can anyone show me an example of using parametrized inputs for dynamic query.
0
Comment
Question by:rathiagu
  • 2
4 Comments
 
LVL 60

Accepted Solution

by:
chapmandew earned 125 total points
ID: 21770352
Sure...

create proc mydynamicproc
(
@tablename nvarchar(255),
@whereclause nvarchar(255)
)
as
begin
declare @sql nvarchar(2000)
set @sql = 'SELECT * FROM ' + @tablename + ' WHERE ' + @whereclause

exec sp_executesql @sql
end
0
 
LVL 51

Expert Comment

by:Mark Wills
ID: 21774556
Just to add a couple of qualifiers to the above.... putting the "bits' on a new line and the where in brackets and extending the criteria prevents the inclusion of a terminated "where" (ie a semicolon, or commented) with a new 'command' being the injection - the @sql statement will fail. But there are still more techniques for sql injection...

Is this on the right track ?


create proc mydynamicproc (@columns varchar(2000),@tablename varchar(2000), @whereclause varchar(2000))
as
begin
declare @sql varchar(8000)

set @sql = 'SELECT
'+ @columns +'
FROM
' + @tablename + '
WHERE
(' + @whereclause +')
AND (1=1)'

exec (@sql)
end
0
 

Author Comment

by:rathiagu
ID: 21816338
Thank U chapmandew and mark wills
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21816370
you're welcome...
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes some very basic things about SQL Server filegroups.
CCModeler offers a way to enter basic information like entities, attributes and relationships and export them as yEd or erviz diagram. It also can import existing Access or SQL Server tables with relationships.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question