Bert Wagner has a two-part series on SQL injection. In the first post, he shows how to use sp_executesql to parameterize queries:
The important thing to note in the query above is that we are generating a dynamic SQL statement; that is, we are building the SQL query string, and then we are executing it.
Imagine this stored procedure is running in order to display a “Welcome <Full Name>!” message in our app — a website visitor types in their
@ParmUserName
and we execute the stored procedure to return their full name.
In his second post, Bert shows what to do if you need to run a query off of a dynamically-selected table:
Unfortunately we have to fall back on SQL’s
EXEC
command.However, like we discussed last week, we need to be vigilant about what kind of user input we allow to be built as part of our query.
Assuming our app layer is already sanitizing as much of the user input as possible, here are some precautions we can take on the SQL side of the equation:
Read on for more.