SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Is sp_executesql reliable?


Is sp_executesql reliable?

Author
Message
masoudk1990
masoudk1990
SSC Veteran
SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)

Group: General Forum Members
Points: 252 Visits: 299
Hello.
I have a bad feeling about sp_executesql, I think in some particular situations it modify itself.
I mean if we have a select stored procedure for dynamic table name like this:


CREATE PROCEDURE SP @TableName AS SYSNAME AS
BEGIN
DECLARE @sql AS NVARCHAR(MAX)
SET @sql = N'Select something from ' + QUOTENAME(@TableName) + ' where 1=1'
EXEC sp_executesql @sql
END



I think after we pass something to @TableName parameter, in a particular situation its possible our stored procedure modify itself to something like this:

Select something from tableName where 1=1



And next time we want to pass something to @TableName, it will throw an exception that @TableName parameter not found.

I found something like this in my program and im not sure if my theory about sp_executesql modify itself randomly is correct or not.
Thank you for help.

___________________________________
Computer Enterprise Masoud Keshavarz
I don't care about hell.
If I go there I've played enough Diablo to know how to fight my way out.
HanShi
HanShi
SSCrazy Eights
SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)

Group: General Forum Members
Points: 8828 Visits: 3718
A stored procedure cannot be changed without the ALTER PROCEDURE statement. Your statement the stored procedure "has changed itself" indicates someone executed code to drop/recreate or alter the existing stored procedure.You can look in SSMS at the properties of a stored procedure to see the date the procedure was created. This could help you when the modification has been done with a DROP/CREATE statement.
If this happens without your knowledge and you want logging when it happens consider creating a DDL trigger on the database.

** Don't mistake the ‘stupidity of the crowd’ for the ‘wisdom of the group’! **
masoudk1990
masoudk1990
SSC Veteran
SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)

Group: General Forum Members
Points: 252 Visits: 299
Much appreciated, I think you've gave me enough clue.

___________________________________
Computer Enterprise Masoud Keshavarz
I don't care about hell.
If I go there I've played enough Diablo to know how to fight my way out.
Grant Fritchey
Grant Fritchey
SSC Guru
SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)

Group: General Forum Members
Points: 100437 Visits: 33014
As you have it currently configured, you're right not to trust it. You're completely open to SQL Injection. For a good laugh, and a good education, see to Bobby Tables. As you're using it, you're begging for trouble. sp_executesql does support parameters, but, you won't be able to just pass it table names like that. If you really want to do that (and I'm convinced it's a poor choice), you need to first do some type of check against the parameter values to ensure that what is passed is actually a real table name. Check in sys.objects or something. Just don't leave it raw like that.

----------------------------------------------------
The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
Theodore Roosevelt

The Scary DBA
Author of: SQL Server Query Performance Tuning and SQL Server Execution Plans
Product Evangelist for Red Gate Software
sturner
sturner
SSCertifiable
SSCertifiable (5.3K reputation)SSCertifiable (5.3K reputation)SSCertifiable (5.3K reputation)SSCertifiable (5.3K reputation)SSCertifiable (5.3K reputation)SSCertifiable (5.3K reputation)SSCertifiable (5.3K reputation)SSCertifiable (5.3K reputation)

Group: General Forum Members
Points: 5274 Visits: 3259
Grant is right on. Your use of sp_executeSQL is superfluous in terms of preventing injection the way you have implemented it. Read BOL on sp_executeSQL and learn how it works. It is always important to do as much parameter validation at the application level as possible even when using sp_executesql. Parameter validation inside stored procedures is also valid.

The probability of survival is inversely proportional to the angle of arrival.
masoudk1990
masoudk1990
SSC Veteran
SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)

Group: General Forum Members
Points: 252 Visits: 299
Much appreciated, Ive read from somewhere if I use QUOTENAME(@FieldName,'''') with 4 single quotations, it makes stored procedure bullet proof from sql injection, but Im still in doubt if its adequate.

According to documentations QUOTENAME('Syntax-Example','''') produce 'Syntax-Example' out put.
But documentation didnt described how QUOTENAME('Syntax-Example','''') produce 'Syntax-Example' out put.
Is there any logic behind this? Or its just a rule?

___________________________________
Computer Enterprise Masoud Keshavarz
I don't care about hell.
If I go there I've played enough Diablo to know how to fight my way out.
ALZDBA
ALZDBA
SSC-Dedicated
SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)

Group: General Forum Members
Points: 30715 Visits: 8986
masoudk1990 (12/24/2013)
Much appreciated, Ive read from somewhere if I use QUOTENAME(@FieldName,'''') with 4 single quotations, it makes stored procedure bullet proof from sql injection, but Im still in doubt if its adequate.

According to documentations QUOTENAME('Syntax-Example','''') produce 'Syntax-Example' out put.
But documentation didnt described how QUOTENAME('Syntax-Example','''') produce 'Syntax-Example' out put.
Is there any logic behind this? Or its just a rule?


with regards to sql injection there is no such thing a bullet proof dynamic sql, unless you really build testing logic to intercept potential abuse !

Anyone anticipation your quotename can just anticipate your quote-char "* ; <put malicious code here> --" and you're *** [clipped on purpose] Cool

http://technet.microsoft.com/en-us/library/ms176114.aspx

Johan


Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere w00t

- How to post Performance Problems
- How to post data/code to get the best help


- How to prevent a sore throat after hours of presenting ppt ?


press F1 for solution, press shift+F1 for urgent solution :-D


Need a bit of Powershell? How about this

Who am I ? Sometimes this is me Alien but most of the time this is me Hehe
Grant Fritchey
Grant Fritchey
SSC Guru
SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)SSC Guru (100K reputation)

Group: General Forum Members
Points: 100437 Visits: 33014
masoudk1990 (12/24/2013)
Much appreciated, Ive read from somewhere if I use QUOTENAME(@FieldName,'''') with 4 single quotations, it makes stored procedure bullet proof from sql injection, but Im still in doubt if its adequate.

According to documentations QUOTENAME('Syntax-Example','''') produce 'Syntax-Example' out put.
But documentation didnt described how QUOTENAME('Syntax-Example','''') produce 'Syntax-Example' out put.
Is there any logic behind this? Or its just a rule?


There are several things you can do to prevent SQL Injection. First, don't use dynamic T-SQL at all. Only use straight T-SQL and parameters. That code can't be modified by values within the parameters. Second, if you must use dynamic T-SQL, only use parameters as parameters in the same way you would with standard T-SQL. There are examples here in the Books Online. Finally, as has been said, put in logic checks to completely sanitize your inputs if you have to dynamically build T-SQL, especially if you're going to go down the dangerous route of passing in table names as values.

----------------------------------------------------
The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
Theodore Roosevelt

The Scary DBA
Author of: SQL Server Query Performance Tuning and SQL Server Execution Plans
Product Evangelist for Red Gate Software
masoudk1990
masoudk1990
SSC Veteran
SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)SSC Veteran (252 reputation)

Group: General Forum Members
Points: 252 Visits: 299
Thanks Grant Fritchey, Ill take a look at that.

According to this:
http://technet.microsoft.com/en-us/library/ms176114.aspx

Now to add to my troubles:
how QUOTENAME('abc[]def') produce [abc[]]def] ? :-D

Well, Its a new question. Ill ask it in a new thread, thank you every one.

___________________________________
Computer Enterprise Masoud Keshavarz
I don't care about hell.
If I go there I've played enough Diablo to know how to fight my way out.
Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (220K reputation)SSC Guru (220K reputation)SSC Guru (220K reputation)SSC Guru (220K reputation)SSC Guru (220K reputation)SSC Guru (220K reputation)SSC Guru (220K reputation)SSC Guru (220K reputation)

Group: General Forum Members
Points: 220734 Visits: 42002
Ah... while I agree with being paranoid about the use of dynamic SQL, it should not be something that keeps you from using it when necessary. It's an incredibly powerful tool that can do things not otherwise possible but, as the others have stated, must be made to completely and absolutely prevent SQL Injection attempts.

For the code given in the original post, the content of @TableName should be verified by checking sys.objects to see if the table name actually exists and THAT can certainly be done without dynamic SQL. If the table name doesn't exist, the exit the stored procedure without giving any clue as to what the problem is so that a potential attacker isn't given any clues.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search