Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
WoodHouse
Posting Yak Master
211 Posts |
 Posted - 2010-04-19 : 07:28:54
|
| The requirement is the user will send the string query for input. I just get the string query execute it, and return back to result set.For Example.CREATE PROCEDURE SPTEST_SQL( @SQL NVARCHAR(MAX)) ASBEGIN EXEC SP_EXECUTESQL @SQL ENDEXEC SPTEST_SQL 'SELECT * FROM SYS.TABLES'For this any other best methos or what are the things I need to concentrate.Please help on this. |
|
|
webfred
Master Smack Fu Yak Hacker
8781 Posts |
Posted - 2010-04-19 : 08:24:44
|
That's a really dangerous idea!Example:EXEC SPTEST_SQL 'DROP TABLE CUSTOMER'
No, you're never too old to Yak'n'Roll if you're too young to die. |
 |
|
|
Transact Charlie
Master Smack Fu Yak Hacker
3451 Posts |
Posted - 2010-04-19 : 08:36:04
|
| Read this:http://www.sommarskog.se/dynamic_sql.htmlAnd then this:http://xkcd.com/327/There's really no need to let your users run their own sql without constraints. I mean why would you? If you wanted them to have that level of power you would just give them a (restricted to select) login to the database server.Charlie===============================================================Msg 3903, Level 16, State 1, Line 1736The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION |
|
|
|
harsh_athalye
Master Smack Fu Yak Hacker
5581 Posts |
Posted - 2010-04-19 : 08:40:34
|
Don't forget, you are providing an easy way for sql injection too!  Harsh Athalyehttp://www.letsgeek.net/ |
|
|
|
|
|
|
Best Way