December 2013
Intermediate to advanced
1872 pages
153h 31m
English
book
Microsoft® SQL Server 2012 Unleashed
by Ray Rankins, Paul T. Bertucci, Chris Gallelli, Alex T. Silverstein
Content preview from Microsoft® SQL Server 2012 UnleashedBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Avoid SQL Injection Attacks When Using Dynamic SQL
The EXEC () (or EXECUTE ()) command in SQL Server enables you to execute queries built dynamically into a character string. This is a great feature for building queries on the fly in your T-SQL code when it may not be possible to account for all possible search criteria in a stored procedure or when static queries may not optimize effectively.
However, when coding dynamic SQL, it’s important to make sure your code is protected from possible SQL injection attacks. A SQL injection attack, as its name suggests, is an attempt by a hacker to inject T-SQL code into the database without permission. Typically, the hacker’s goal is to retrieve confidential data such as Social Security or credit card numbers ...