Steve Jones - SSC Editor (3/29/2013)
TravisDBA (3/29/2013)
Another thing to remember here is that script injection is NOT just restricted to SQL. MSDOS commands can be injected in a string that is passed to an xp_cmdshell and executed with the current privileges. If you know how to use ampersands, it's real easy to do. Don Burleson wrote a very good article with a real fine example of this that is well worth reading. 😀http://www.rampant-books.com/t_super_sql_157_script_injection_msdos.htm%5B/quote%5D
That's a very real hole, and it's one you should beware of. So administrators running things through XP_CMDSHELL shouldn't run anything they do not completely understand, including the parameters.
I agree Steve, it is, and I would add that if Mr. Burleson says the command is dangerous, then I would definitely listen. 😀
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"