Home Forums SQL Server 2008 SQL Server 2008 - General Store procedure variable RE: Store procedure variable

  • February 6, 2013 at 1:54 am

    #1584782

    Sean Lange (2/5/2013)

    Antony Symonds (2/5/2013)

    Is dynamic SQL bad in general or just when it opens up this sort of a security hole allowing for the SQL to fully specified or at least the table?

    Dynamic sql is very powerful and is sometimes the best way to accomplish something. In the case of this it is more dangerous because of the possibility of sql injection.

    Thanks, that is pretty much what I was thinking I just wanted to make sure... I suppose he could put some conditions to test the parameters being sent to make sure its within an acceptable bracket of sql code...

    Time to make a change