Ed Wagner (6/27/2013)
Ed Thompson (6/27/2013)
But the supreme rule is: all input should be viewed as questionable whether it is coming from a source internal or external to your organization. You can build yourself some "cleansing" type functions to apply to string and binary type parameter inputs; but, know that they may need to be updated/tweaked from time to time as new threats come along and the line between legitimate and illegitimate input is blury some times.Well-stated, Ed. I view the first layer of defense as being to treat everything as suspect. Make sure the quotes are in order by building and using a standard library of functions to clean every string you pass to SQL.
I would disagree with this. Don't try to clean the input, protect yourself from malicious input by parameterizing your queries. DO NOT EVER execute user entered values. That means you do not create some code to build a sql string and then run that string against your database.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/