• David92595 (6/28/2016)


    @Jeff

    Because I inherited this database and the person that made it thought in spreadsheets not relational tables.

    @scott

    Thank you! Are their any other good ways to stop a sql injection? My database, until recently, has been small and is still only internal so exposure to injections has been minimal. I know i need to get ahead of the curve on this though.

    David

    Yes, for sql injection, there are definitely other measures that need taken. My code above is just quick way to do a reasonable check for injection prior to executing.

    Another potential issue with dynamic SQL is that permissions must be granted explicitly granted to the user running the code, and not come thru a role. If the code is being run under a "power user"/"power app" id, that's not an issue, but if you run code as each user, it can be a permissions issue with dynamic SQL.

    SQL DBA,SQL Server MVP(07, 08, 09) A socialist is someone who will give you the shirt off *someone else's* back.