Tag: SQL Injection

SQL

Constructing Dynamic SQL with Parameters

Post author By Andy B.
Post date Mar 26, 2024
2 Comments on Constructing Dynamic SQL with Parameters

When building dynamic SQL, safety is crucial. As we saw last week, we have the QUOTENAME function which can help when referencing object names. Another aspect to consider is use of parameters. Integrating them incorrectly can leave us vulnerable to SQL injection attacks. Let’s take a look at how to handle them the wrong way, followed by the right […]

Tags Dynamic SQL, Querying, Security, SQL, SQL Injection, Stored Procedures

SQL

Securing Dynamic SQL with QUOTENAME

Post author By Andy B.
Post date Mar 19, 2024
2 Comments on Securing Dynamic SQL with QUOTENAME

I’m a big fan of dynamic SQL in the right conditions. One key to crafting safe dynamic query of the use of the QUOTENAME function. The issue Using dynamic SQL can leave us vulnerable without proper safeguard. Let’s see an example of this: This is a cut down example of something I’ve seen previously in […]

Tags Querying, Dynamic SQL, Stored Procedures, Security, SQL Injection