SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 dynamic sql-2 questions
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

bill_
Starting Member

37 Posts

Posted - 09/17/2013 :  12:07:24  Show Profile  Reply with Quote
I read that executing a query string isn't safe when parameters come from screen input.

1) Is that because parameters can be wrong and cause errors and because they can be used for injection ?
2) If those parameters are checked to make sure they're ok, is executing a query string safe ?

James K
Flowing Fount of Yak Knowledge

3636 Posts

Posted - 09/17/2013 :  12:32:45  Show Profile  Reply with Quote
quote:
Originally posted by bill_

I read that executing a query string isn't safe when parameters come from screen input.

1) Is that because parameters can be wrong and cause errors and because they can be used for injection ?
2) If those parameters are checked to make sure they're ok, is executing a query string safe ?


The safety issue comes from potential sql injection attacks. In addition to safety, it also has performance and logical considerations. For example:

1. Inability to reuse query plans
2. Breaking of ownership chains
3. More complex and less readable code etc.

But above all, it is really the risk of SQL injection attacks that makes it undesirable to use dynamic SQL. If you do want to use dynamic sql, parameterize your queries and use sp_executesql rather than exec.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.05 seconds. Powered By: Snitz Forums 2000