Have All Thirteen
…
Category: Dynamic SQL
Sneaky SQL Injection
One More Thing
I always try to impart on people that SQL injection isn’t necessarily about vandalizing or trashing data in some way.
Often it’s about getting data. One great way to figure out how difficult it might be to …
Dynamic Temp Table Pains
Tinker Toy
Let’s say you have dynamic SQL that selects different different data based on some conditions.
Let’s also say that data needs to end up in a temp table.
Your options officially suck.
If you create the table outside …
Just Using sp_executesql Doesn’t Make Dynamic SQL Safe To Use
Safe Belt
A lot of people I’ve talked to about dynamic SQL have been under the misguided impression that just using sp_executesql will fix safety issues with SQL injection.
In reality, it’s only half the battle. The other half …
Does sp_executesql WITH RECOMPILE Actually Recompile Anything?
No, No It Doesn’t
But it’s fun to prove this stuff out.
Let’s take this index, and these queries.
CREATE INDEX ix_fraud ON dbo.Votes ( CreationDate ); SELECT * FROM dbo.Votes AS v WHERE v.CreationDate >= '20101230'; SELECT * FROM…
Not Entirely Parameterized Dynamic SQL
Unskinny Top
When I blogged about passing parameters to TOP, we ran into a problem that has many possible solutions.
Perhaps the least complex answer was just to fix the index. Nine times outta ten, that’s what I’d …