Read our blogs, tips and tutorials
Try our exercises or test your skills
Watch our tutorial videos or shorts
Take a self-paced course
Read our recent newsletters
License our courseware
Book expert consultancy
Buy our publications
Get help in using our site
551 attributed reviews in the last 3 years
Refreshingly small course sizes
Outstandingly good courseware
Whizzy online classrooms
Wise Owl trainers only (no freelancers)
Almost no cancellations
We have genuine integrity
We invoice after training
Review 30+ years of Wise Owl
View our top 100 clients
Search our website
We also send out useful tips in a monthly email newsletter ...
Written by Andrew Gould
In this tutorial
So far this tutorial on dynamic SQL has taught you several ways to create and use dynamic SQL statements. Before you start using this technique in the real world however, you need to be aware of a potential danger: SQL injection attacks.
Injection attacks occur when a user passes a value to a dynamic SQL statement in an attempt to execute actions that you didn't intend them to perform.
Imagine you had a text box on a website, much like the one at the top of this page, to allow users to search your site. Clicking a button might send the value of the text box to a procedure which builds a dynamic SQL statement designed to retrieve matching records and present them to the user, something like the procedure shown below:
CREATE PROC spSearchBlogs
(
@SearchString VARCHAR(MAX)
)
AS
BEGIN
DECLARE @SQLString VARCHAR(MAX)
SET @SQLString =
'SELECT BlogName, BlogURL FROM tblBlog
WHERE BlogName LIKE ''%' + @SearchString + '%'''
EXEC (@SQLString)
END
Now imagine that a user types the following into the search box:
a'; DROP TABLE tblUsers--
The a' simply passes the letter a into the search string and closes the quotes to complete a valid search string. The semi-colon which follows this is used as a statement terminator to end the query. The next part of the text begins a new SQL statement and attempts to delete our table of users! The final two dashes are used to begin a comment which effectively disables any other code that we might be concatenating to the end of the search string.
Frightening isn't it? Although it can also be humorous. There are many other things a malicious user might attempt to do and many professionals make a good living from attempting to break a client's system with an SQL injection attack.
There are many techniques for preventing SQL injection attacks, some of which may be taken care of by people involved in developing other parts of your complete system. You should still be aware of the things that you can do to help mitigate the chances of such an attack succeeding. There are several excellent websites which describe various strategies for dealing with SQL injection, including this excellent article from the CodeProject, and the definitive article on dynamic SQL by Erland Sommarskog.
You can learn more about this topic on the following Wise Owl courses:
Kingsmoor House
Railway Street
GLOSSOP
SK13 2AA
Landmark Offices
99 Bishopsgate
LONDON
EC2M 3XD
Holiday Inn
25 Aytoun Street
MANCHESTER
M1 3AE
© Wise Owl Business Solutions Ltd 2024. All Rights Reserved.