Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
lotek
Starting Member
42 Posts |
 Posted - 2005-11-11 : 14:16:09
|
| Two questions:1. Is there a way to validate dynamic sql? Or at least exececute it to see if its valid and then return and error if its not?2. I am building something that allows a user to enter a where clause online to retrieve some records from a table. Does this present any security concerns? I am predefining the table then just concatenating the where, something like:'SELECT field1, field2 FROM table WHERE (' + userInput + ')' |
|
|
blindman
Master Smack Fu Yak Hacker
2365 Posts |
Posted - 2005-11-11 : 15:07:01
|
| [code]select 'SELECT field1, field2 FROM table WHERE (' + '1=0) UNION select name, id from sysobjects where type = (''U''' + ')'--Got a list of tables!select 'SELECT field1, field2 FROM table WHERE (' + '1=0) UNION select name, xtype from syscolumns where (id = 1977058079' + ')'--Got a list of fields!select 'SELECT field1, field2 FROM table WHERE (' + '1=0) UNION update Employees set LastName = ''blindman'', Title = ''SQL God'' where(1=1' + ')'--You done been hacked.[/code] |
 |
|
|
blindman
Master Smack Fu Yak Hacker
2365 Posts |
Posted - 2005-11-11 : 15:08:09
|
| Oops...gotta change the UNION in the last statement to GO. But hey, I'm a hacker and I've got all day to sit around in my basement and play with this. |
|
|
|
lotek
Starting Member
42 Posts |
Posted - 2005-11-11 : 15:16:34
|
| Humm i see, is there any "safe" way to set something like this up? Basically i only have two views that the dynamic where queries would be run against. Maybee i could setup a user with read only access to those two views and run the queries using that user? Would that solve the security problem? |
|
|
|
lotek
Starting Member
42 Posts |
Posted - 2005-11-11 : 15:20:36
|
| Or would there be anyway to populate a table variable with the information that the user is allowed to query and then contrain their query to that data? |
|
|
|
madhivanan
Premature Yak Congratulator
22864 Posts |
|
|
|
|
|
Dyanmic Sql Validation and Security