Saturday, September 21, 2019

sp_executesql how to prevent SQL Injection

What is SQL Injection : 
SQL injection is a type of injection attack, in which inserts SQL query via the input data from client to application and it can read sensitive data from database or modified database data or execute administration operation.

 sp_executesql is system stored procedure, it is used to execute the SQL script like EXEC but sp_executesql allows for SQL statement to be parameterized as instead of embedding or injecting it into SQL code so it stops any SQL Injection possibility.

 sp_executesql how to prevent SQL Injection

 Here is an example of sp_executesql how to prevent SQL Injection:

CREATE PROCEDURE dbo.usp_validate_user
     @UserName as varchar(10),
     @Password as varchar(10)
AS
BEGIN
    
     declare @sqlString as varchar(max)
     SET @sqlString = 'Select id from dbo.Users Where UserName = @UserName and password = @Password'

     EXECUTE sp_executesql @sqlString,
     N'@UserName as varchar(10),  @Password as varchar(10)'
       @UserName,  @Password

END
GO

Difference between Exec and sp_executesql :

There are some other difference between Exec and sp_executesql

sp_executesql
EXEC  
Allow for statement to be parameterized
There is no option for parameterize column
No Risk of SQL Injection
High Risk of SQL Injection
Strongly typed parameters
No Strongly typed parameters
Performance Benefits - Cache an execution plane on first run
Create an execution plan for each run

Posted by at No comments:
Labels:

What is sp_executesql system stored procedure in SQL Server

In this blog, we will discuss about sp_executesql stored procedure and what advantage sp_executesql stored procedure have it over EXEC.

sp_executesql is system stored procedure, it is used to execute the SQL script like EXEC but sp_executesql allows for SQL statement to be parameterized as instead of embedding or injecting it into SQL code so it stops any SQL Injection possibility.

There are some other difference between Exec and sp_executesql

sp_executesql
EXEC  
Allow for statement to be parameterized
There is no option for parameterize column
No Risk of SQL Injection
High Risk of SQL Injection
Strongly typed parameters
No Strongly typed parameters
Performance Benefits - Cache an execution plane on first run
Create an execution plan for each run

Here is an example of sp_executesql:

CREATE PROCEDURE dbo.usp_validate_user
     @UserName as varchar(10),
     @Password as varchar(10)
AS
BEGIN
    
     declare @sqlString as varchar(max)
     SET @sqlString = 'Select id from dbo.Users Where UserName = @UserName and password = @Password'

     EXECUTE sp_executesql @sqlString,
     N'@UserName as varchar(10),  @Password as varchar(10)'
       @UserName,  @Password

END
GO

Posted by at No comments:
Labels:

SQL Common Table Expressions (CTE)

SQL CTE stands for Common Table Expression, and it was introduced in SQL Server 2005 and basically it simplify the complex SQL queries and help to write the recursive query.

SQL CTE always returns temporary result set and the scope of result is only to next SQL query and it can be referenced within a Select, INSERT, UPDATE, or DELETE statement.

A SQL CTE can be used to:
·         Use the CTE's result-set more than once in SQL query
·         Substitute for a view when the general use of a view is not required;
·         Simplify the complex joins
·         Create a recursive query

Here is an example of CTE:

We want to calculate yearly sales reports by using SQL CTE

Order Table:

OrderID
OrderAmount
OrderDate
1
 $           189.00
8/21/2017 10:58
2
 $             76.00 
12/21/2017 10:59
3
 $             76.00 
6/21/2017 10:59
4
 $             79.00 
8/21/2016 11:00
5
 $             84.00 
4/21/2019 11:00

With CTE_YearlySale AS
(
 Select OrderID, OrderAmount, Year(OrderDate) [Year] from dbo.Order
)
Select [Year], SUM(OrderAmount) [Sales] from CTE_YearlySale group by [YEAR]

Output:

Year
Sales
2016
 $        79.00
2017
 $      341.00
2019
 $        84.00

Here is an example of Recursive Query by using CTE:

WITH [CTE_Recursive] AS (
SELECT 1 AS [Number]
UNION ALL
SELECT [Number]+1
FROM [CTE_Recursive]
WHERE [Number] <= 8
)
SELECT [Number], Case When ([Number] % 2 = 1) THEN 'ODD' ELSE 'EVEN' END [Label] FROM [CTE_Recursive]

Output:


Number
Label
1
ODD
2
EVEN
3
ODD
4
EVEN
5
ODD
6
EVEN
7
ODD
8
EVEN
9
ODD

 

For more information about the SQL Common Table Expressions (CTE) visit WITH common_table_expression (Transact-SQL)


Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)