All Questions
Tagged with dynamic-sql sql-injection
41 questions
0
votes
0
answers
79
views
SQL injection and resulting query of sp_executesql
I've developed a stored procedure that utilizes dynamic SQL to search for specific entities (this is a procedure for catch all logic). Is this procedure prone to SQL injection, and how do I get the ...
- 127
0
votes
1
answer
78
views
pgsql function cannot execute
I tried to execute this function:
CREATE OR REPLACE FUNCTION public.increases_chrono(
chrono_seq_name text,
chrono_id_name text)
RETURNS TABLE(chrono_id bigint)
LANGUAGE 'plpgsql'
...
- 1
1
vote
1
answer
1k
views
Dynamic SQL and SQL injection
I have been asked to look into generating a dynamic SQL statement in a function on a Postgres DB. In the past, I have always preferred that the SQL be generated at the app level but in this case, we ...
- 165
0
votes
1
answer
899
views
Dynamic SQL select multiple columns based on json field(s) without exposing SQL Injection risks
I'm creating a 'select colA, colB, colC, ...' stored proc, and I want the choice of columns to return to be based on JSON input.
The most basic way to achieve that is
DECLARE @jsonField nvarchar(max) =...
- 1,419
0
votes
0
answers
81
views
Is it a right approach to take advantage of roles?
After learning about dynamic queries, I'm trying to build a couple of base functions C(reate)R(ead)U(pdate)d(elete)
for my db saving me to repeat a lot of code for table/view.
I want to take advantage ...
- 23
2
votes
2
answers
826
views
How secure is format() for dynamic queries inside a function?
After reading Postgres manual and many posts here, I wrote this function tacking in mind all I found regarding security. It works great and does everything I looked for.
takes a json, each key has an ...
- 23
2
votes
2
answers
131
views
Casting issue in call of custom aggregate function in dynamic SQL
I am trying to make a check function which checks whether a tsrange is contained within an another one. Consider the complete example in this fiddle.
The last section is doing the "magic", ...
- 733
0
votes
0
answers
229
views
SQL Server - Building table with column datatype as user input - how to validate the user input
I have a stored procedure which creates tables based on inputs.
One of the inputs is the datatype of one of the columns in the table.
However, I am conscious that the user can input a string which is ...
- 127
0
votes
2
answers
89
views
Test sofware for SQL injection
We have to work with older version of an ERP system (1993).
It has multiple modules. These modules have windows(tabs). Tabs have cols (obviously).
In this tabs the USER can make a "new column" -> it'...
- 132
1
vote
1
answer
135
views
Chances of SQL injection in dynamically constructed SQL
I have a query like this in MySQL
val selectQ = "SELECT NAME FROM EMPLOYEE"
val date = "2010-10-10"
val age = 10
Now I have some dynamic AND clauses,
like
val whereNameFilter = "WHERE date = $...
- 705
0
votes
1
answer
91
views
What is best way to secure t-sql dynamic code when it comes as filters using sp_executesql
I'm making a stored procedure which accepts dynamic filtering, the problem I have is that I need to keep it flexible as possible.
ALTER PROCEDURE astp_test
@WhereClause NVARCHAR(max) = NULL
AS
...
- 1
1
vote
0
answers
126
views
Table name, column names as argument to stored procedure
I am a newbie to stored procedure and to PL/SQL. There is an existing procedure to copy data from one table to another. I want to rewrite the stored procedure to accept table name and column names as ...
- 67
1
vote
1
answer
897
views
SQL injection in SP_EXECUTESQL
I have a stored procedure in SQL Server which gets a XML as input parameter. In this XML is defined - what stored procedure with which parameters values should be executed. And according to that the ...
1
vote
1
answer
1k
views
SQL injection for Dynamic where conditions in prepared statement
I my application we are collecting some user inputs from UI and based on those values we are generating dynamic SQLs with different 'Where' conditions to query data. It is found that that piece of ...
- 11
0
votes
1
answer
106
views
SQL injection error in Dynamic SQL with prepared statement
I my application we are collection some user inputs from UI and based on those values we are generating dynamic SQLs with different 'Where' conditions to query data.
It is found that that piece of ...
- 11