Nadrek (1/30/2014)
May I recommend a CHECK constraint on the column(s) that prevent any data except letters and maybe spaces, perhaps numbers if you have to? If you have to accept any other characters, you're going down a very dark road indeed. Whitelisting is far better than trying to blacklist, but still not perfect.
The data requires a lot more "allowed" characters than that. The database and the software that I have any control over is safe, it's a third-party API and their database that is vulnerable.
Thanks for the links.
john barnett (1/30/2014)
As an alternative, could the application connect to SQL via an account that doesn't have rights to execute DDL statements, or wold this break your software?John
Not my software or my database at fault. I connect via their API to their database, I can't mess with anything on their systems (technically I could in-house, but it isn't a viable option unfortunately).
To be honest here guys, I don't think there's a whole lot more I can do.