April 18, 2019 at 1:08 pm
Switch all your dynamic T-SQL to use sp_executesql. As you can see in the documentation, you can write that such that it uses parameter values, not just constructed strings. The use of parameterized queries is the single best approach to eliminating any issues with SQL Injection. Executing strings, without parameters, is how you get SQL Injection. Don't do that.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
April 18, 2019 at 1:14 pm
MySQL and SQL Server use different methods to execute dynamic code. This is a forum for Microsoft SQL Server, you would get better help on a MySQL forum.
April 18, 2019 at 1:21 pm
MySQL and SQL Server use different methods to execute dynamic code. This is a forum for Microsoft SQL Server, you would get better help on a MySQL forum.
Oh bugger. I didn't even spot that. Thanks!
There is no MySQL equivalent to sp_executesql, so that's not an option. Instead, make your code into prepared statements. Same core solution, parameterize the query.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
April 18, 2019 at 1:47 pm
This guy has asked a half dozen interview questions. I'm not helping him to get a job he's not qualified to do.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply