September 2010
Intermediate to advanced
1704 pages
111h 8m
English
The EXEC () (or EXECUTE ()) command in SQL Server enables you to execute queries built dynamically into a character string. This is a great feature for building queries on the fly in your T-SQL code when it may not be possible to account for all possible search criteria in a stored procedure or when static queries may not optimize effectively.
However, when coding dynamic SQL, it’s important to make sure your code is protected from possible SQL injection attacks. A SQL injection attack is, as its name suggests, an attempt by a hacker to inject T-SQL code into the database without permission. Typically, the hacker’s goal is to retrieve confidential data such as Social Security or credit card ...