TSQL Prevent SQL injection on SPROC with a WHERE clause as parameter?

If the input for the SP has to be the where clause for a select statement then there is no way you can prevent sql injection One of the reasons is that it opens the door to people closing the select statement and then writing whatever else they want, updates, deletes, you name it.

If the input for the SP has to be the where clause for a select statement then there is no way you can prevent sql injection. One of the reasons is that it opens the door to people closing the select statement and then writing whatever else they want, updates, deletes, you name it.

If I could allow only SELECT to the EXEC, it should work, I guess... – Scudelari Jan 3 at 15:59 1 If you want to write a SQL parser in your sproc maybe... – a'b'c'd'e'f'g'h' Jan 3 at 16:00 Not 100% sure but I also believe it is. You can hack something together like raising exceptions when a ; is passed as the where clause but still, that only goes so far. Such a "solution" might also raise exceptions for legit statements.

– Lieven Jan 3 at 16:00 :) I wonder why there is no "EXEC SELECT" function... – Scudelari Jan 3 at 16:01.

The input variables of the stored procedure need to be the where clause of the select statement. This is a requirement of the business logic, since the application must allow such advanced searches.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.

Related Questions

» About WebKnox
» Contact
» WebKnox Blog
» RSS
» Newsletter
» Twitter
» API
» API Showcase