When building dynamic SQL, safety is crucial. As we saw last week, we have the QUOTENAME function which can help when referencing object names. Another aspect to consider is use of parameters. Integrating them incorrectly can leave us vulnerable to SQL injection attacks. Let’s take a look at how to handle them the wrong way, followed by the right […]
I’m a big fan of dynamic SQL in the right conditions. One key to crafting safe dynamic query of the use of the QUOTENAME function. The issue Using dynamic SQL can leave us vulnerable without proper safeguard. Let’s see an example of this: This is a cut down example of something I’ve seen previously in […]
When executing packages for SSIS the default option would be to use the SQL Server Agent service account. We might not want to share an account between our services and Integration Services packages due to security risks. Let’s take a common example: Suppose we have a package which reads from a file share. If permissions […]
When developing database solutions we’ll typically spend some time considering security requirements, which will result (in part) with database roles being assigned to users or groups of users. Whilst security considerations will likely be focused on what folks can do in our databases, there’s a separate impact on what they can see in them too. I’ve had more than […]
Andy Brownsword 