开发者

TSQL Prevent SQL injection on SPROC with a WHERE clause as parameter

I am currently developing an application that MUST select several different tables whose results are interconnected. The return data will be saved in a .NET DataSet object in the client application.

The input variables of the stored procedure need to be the where clause of the select statement. This is a requirement of the开发者_如何学JAVA business logic, since the application must allow such advanced searches.

What I wanted to make is a stored procedure (because of the need to return more than one table that are connected to each other and whose results are inter-dependent) that would have WHERE clauses that would be appended to a dynamic SQL such as:

create procedure up_test (
    @input varchar(255)
) as

    EXEC( 'SELECT * FROM person.person ' + @input)


go


If the input for the SP has to be the where clause for a select statement then there is no way you can prevent sql injection.

One of the reasons is that it opens the door to people closing the select statement and then writing whatever else they want, updates, deletes, you name it.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜