Home SQL Server Archive by category "Injection"

Category: Injection

sql_variant parameters and Dynamic SQL

Let’s start off by saying that this article is not a recommendation to use sql_variant as a data type. There are many articles, written by far more reputable people, that have explained why sql_variant isn’t a good choice of a data type. Saying that, however, if you are using dynamic SQL then yes you could pass one as a parameter to have that dynamic statement correctly cast that parameter to the correct data type. For a "catch all" query, where you are passing a both a dynamic column and value that could have different data types this permits you to…

Continue reading

An in-depth look at injecting

Injecting into SQL is something I have covered multiple times, but today I wanted to cover it a bit more in full to touch on why doing it incorrectly is a problem, and also the different ways to inject properly. Some of this will definitely be repetition of stuff I’ve said before, but having I felt that having it in one article isn’t a bad thing. When SQL Injection goes wrong The biggest problem with injecting is doing it incorrectly, and thus opening your instance up to SQL injection attacks. For those of you that you that don’t know what…

Continue reading

Welcome to 2020, may I take you coat? How about your Customer Data?

That’s right, it’s now 2020, we’re already in the 2nd decade of the “new” millennium. A lot has changed in the last 20 years: High Speed Broadband (cough for most of us) is common place, Computers are faster than ever, cars are more economical, the polar icecaps are smaller (apparently), and a Happy Meal for McDonald’s isn’t 99p any more. There are some things that haven’t change too: The UK is still part of the EU (at time of writing), your neighbour’s dog still barks all night, and customer data is still wide open to theft from SQL injection. Yes,…

Continue reading