Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 Site Related Forums
 Article Discussion
 Article: Introduction to Dynamic SQL

Author  Topic 

AskSQLTeam
Ask SQLTeam Question

0 Posts

Posted - 2001-06-20 : 11:23:43
One of the most common questions we get involves Dynamic SQL. We have some articles that cover it but none that really start with the basics. So Merkin sat down and wrote this introduction to dynamic SQL. Using dynamic SQL you can put a SQL statement inside a variable and execute that statement. It's what you have to do when you're trying to run Select * from @TableName. Thanks Merkin!

Article Link.

nedhale
Starting Member

1 Post

Posted - 2007-02-08 : 21:52:33
PLEASE do a web search on SQL injection before using dynamic SQL like this. The first example given where the ArticleID is read from the query string is a great example of an ASP page with a huge security hole. If I typed in the URL "http://server/search.asp?ArticleID=1;Delete * From Users" your DB has just been compromised. There are lots of good tutorials available so please take a look. Wikipedia is a good place to start.

[url]http://en.wikipedia.org/wiki/Sql_injection[/url]
Go to Top of Page
   

- Advertisement -