Home Forums SQL Server 2012 SQL Server 2012 - T-SQL Is there a way to identify dynamic sql that may be vulnerable to sql injection? RE: Is there a way to identify dynamic sql that may be vulnerable to sql injection?

  • January 3, 2018 at 11:47 am

    #1974306

    GilaMonster - Wednesday, January 3, 2018 11:21 AM

    sp_statement_completed & sql_statement_completed and look for sp_executesql or EXEC with brackets.
    Or the entire batch with sql_batch_completed and RPC completed. Eitherway, a second filter is necessary, and probably better to do it after capturing, especially for the EXEC( one

    That would work for SQL generated on the SQL server, but isn't going to help with dynamic SQL generated on an application. From experience, I've found applications are far worse for it, it seems that (some) application/web developers don't even consider; and then as a DBA you see the application code and have a melt down. :'(

    Unfortunately, I can't really think of a way you could capture dynamically generated SQL from an application. It is, one of the reasons why I prefer only letting an application use SPs; as then it can't even try to use dynamically generated SQL.

    Thom~

    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
    Larnu.uk