Home Forums SQL Server 2012 SQL Server 2012 - T-SQL Is there a way to identify dynamic sql that may be vulnerable to sql injection? RE: Is there a way to identify dynamic sql that may be vulnerable to sql injection?

  • January 3, 2018 at 12:26 pm

    #1974318

    GilaMonster - Wednesday, January 3, 2018 11:21 AM

    sp_statement_completed & sql_statement_completed and look for sp_executesql or EXEC with brackets.
    Or the entire batch with sql_batch_completed and RPC completed. Eitherway, a second filter is necessary, and probably better to do it after capturing, especially for the EXEC( one

    Ah... ok.  So it uses the same method as doing a code search.  Wouldn't it just be easier to review the code so that you don't have to filter through all of the duplication that such a method will generate?  Also, that will only capture the code that's currently being used.  It may not capture code that's not frequently used.

    And, yeah... I agree... no matter what, a secondary filter is absolutely necessary.  Hopefully such a filter isn't the same human that wrote the code to begin with.

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)