How to Avoid SQL Injection

Using dynamic SQL to support Web searches can expose SQL Server to malicious SQL commands called SQL injection. Here’s how to avoid this problem.

Readers

May 9, 2005

2 Min Read
ITPro Today logo in a gray background | ITPro Today

DBAs often try to use dynamic SQL to support Web searches. It’s common practice to capture search data from Web pages and pass that data as parameters to a SQL Server stored procedure. The stored procedure then builds dynamic SQL and returns a result set. This provides a flexible approach for all dynamic searches. However, this approach can expose SQL Server to malicious SQL commands called SQL injection. This security vulnerability occurs in the database layer. The source is the incorrect escaping of variables embedded in SQL statements. It can lead to nefarious users retrieving data, altering server settings, or even taking control of the server. Fortunately, dynamic SQL execution can be avoided by converting it to a static SQL search.

For example, DynamicEmployeesList.sql, which Listing 1 shows, includes a stored procedure to search the Northwind database for employee data. The stored procedure uses dynamic SQL to perform the search. Depending on the search parameters passed to the stored procedure, it builds dynamic SQL and returns the data set to the calling application. If no parameters are passed, the stored procedure returns all the records from the Employees table of the Northwind database.

StaticEmployeesList.sql, which Listing 2 shows, demonstrates how this simple dynamic search SQL can be converted to static SQL search by modifying the Where clause in the stored procedure. This approach provides not only flexibility but also the best security. In this case, the user needs only execution permission on the stored procedure. Incorrect values passed to the parameter won’t allow the user to take control of the server.

— Raj Rathi
[email protected]

Editor’s Note
Share your SQL Server discoveries, comments, problems, solutions, and experiences with products and reach out to other SQL Server Magazine readers. Email your contributions (400 words or less) to [email protected]. Please include your phone number. We edit submissions for style, grammar, and length. If we print your submission, you’ll get $50.

About the Author

Readers

Readers

See more from Readers
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

a digital shield icon with a keyhole next to text that says linux kernel security
Vulnerabilities & Threats
Linux Kernel Exploits: How Attackers Gain Root Access and How To Defend Against It
Linux Kernel Exploits: Common Threats and How To Prevent Them

Oct 8, 2024

DevOps warning sign in front of gray sky
DevOps
How to Avoid Hidden DevOps Costs and Optimize for Efficiency
How to Avoid Hidden DevOps Costs and Optimize for Efficiency

Oct 9, 2024

a phone call between two business people reveals that one of them is a deepfake scammer
Vulnerabilities & Threats
We’re Worried About Deepfake Voice Scams. How Do We Protect Employees?
We’re Worried About Deepfake Voice Scams. How Do We Protect Employees?

Oct 4, 2024

Exclusive ITPro Resources
See all ITPro Resources

Featured Technical Explainers

multicloud concept
Cloud Computing
Cross-Cloud: The Next Evolution in Cloud Computing?
Cross-Cloud: The Next Evolution in Cloud Computing?
Wi-Fi 6 speed logo glowing on virtual screen while businessperson points hand and using laptop computer.
IT Operations
Wi-Fi 6: A Step Forward, But Wired LAN Still Holds the Crown
Wi-Fi 6: A Step Forward, But Wired LAN Still Holds the Crown
American flag in front of a government building
IT Operations
Pros and Cons of Government IT Jobs
Pros and Cons of Government IT Jobs
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

Recent What Is

cartoon shows a person next to a checklist and several icons that represent disaster scenarios
Disaster Recovery
BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster RecoveryBCDR Basics: A Quick Reference Guide for IT Pros
technology interface with a person's hand drawing gears and cogs
PowerShell
Introduction To PowerShell Environment VariablesIntroduction To PowerShell Environment Variables