• sturner (6/22/2009)


    It is really only dangerous in the case where appropriate and strict adherence to minimum required permissions and complex password safeguards are lacking or non-existent. Unfortunately this is true in too many situations and has resulted in giving this rather useful procedure a bad name. Most people take the brute force (easier) approach and disable the feature.

    There are many ways to hack a database, this is but one of the more interesting ones. Having said that, proper adherence to SQL Server security on objects and logins along with application coding designed to be injection-proof will make this particular procedure no more of a danger than DROP TABLE. I'll get flamed for saying this but it is a fact.

    I know this is an old thread but I wanted to add... I absolutely agree. It's not the tool that's bad. It's the way that people implement it.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)