Press "Enter" to skip to content

SQL Injection and Square Brackets

Erik Darling is not amused:

I see a lot of scripts on the internet that use dynamic SQL, but leave people wide open to SQL injection attacks.

In many cases they’re probably harmless, hitting DMVs, object names, etc. But they set a bad example. From there, people will adapt whatever dynamic SQL worked elsewhere to something they’re currently working on.

Click through for a demonstration of the problem.