tags:

views:

382

answers:

4
+3  Q: 

SQL Server: Sanitizing @param against injection attacks

For the sake of argument, let's just say I have to create a local variable containing a SQL query that has an INSERT:

DECLARE @insert NVARCHAR(MAX) SELECT @insert = 'INSERT INTO [dbo].[' + @table + '] VALUES... EXEC (@insert)

This INSERT is also going to contain a column value:

DECLARE @insert NVARCHAR(MAX) SELECT @insert = 'INSERT INTO [dbo].[' + @table + '] VALUES (N''' + @message + ''')' EXEC (@insert)

Now, I'm obviously concerned about an injection attack, and would like to ensure that @message's value can't make @insert's value malicious or malformed as a query to EXEC.

This brings us to my question: is escaping the ' characters in @message sufficient? Are there any other characters that could appear in @message that could escape out?

Example:

DECLARE @insert NVARCHAR(MAX) SELECT @message = REPLACE(@message,'''','''''') SELECT @insert = 'INSERT INTO [dbo].[' + @table + '] VALUES (N''' + @message + ''')' EXEC (@insert)

(When I say "have to", this is because my query is in a stored procedure, and this stored procedure accepts @table, which is the destination table to INSERT into. I'm not interested in discussing my architecture or why the table to INSERT into is "dynamically" specified via a procedure parameter. Please refrain from commenting on this unless there's another way besides EXEC()ing a query to specify a table to INSERT into when then table name is received as a procedure parameter.)

+6  A: 

Use sp_executesql and the built-in quotename(). This article, The Curse and Blessings of Dynamic SQL, is pretty much the definitive reference.

Mitch Wheat  2009-04-01 02:40:24
++ canonical reference
le dorfier  2009-04-01 03:35:26
Apparently there's a 128-length limit to quotename(), even in 2008, since it expects a SQL identifier. The reference suggests creating a quotestring() function (http://www.sommarskog.se/dynamic_sql.html#quotestring), which does exactly the same thing as REPLACE(@variable,'''','''''').
Chris  2009-04-01 16:02:09
+1  A: 

Rather than calling EXEC(@somesql), I suggest using the sp_executesql stored procedure. Specifically, this allows you to pass parameters, and the system will check that the parameters are valid.

Scott Whitlock  2009-04-01 02:42:39
Yeah, unfortunately, SQL Server 2008 Express is telling me "Must declare the table variable '@my_table'." after executing that code.
Chris  2009-04-01 02:48:15
I was sure I did this in SQL Server 2005, but I admit that I could just be very very tired. I apologize. I'll try this tomorrow.
Scott Whitlock  2009-04-01 03:02:23
Nope, I'm wrong. I'll remove that section of the answer.
Scott Whitlock  2009-04-01 14:26:24
+1  A: 

You could first query the schema information with regular T-SQL and make sure the table name exists first. This way, if it's malformed SQL, it won't execute as code. It will just be a VARCHAR table name.

DECLARE @Table AS VARCHAR(MAX)
DECLARE @Exists AS BIT

SET @Table = 'Vicious malformed dynamic SQL'

SELECT  @Exists = COUNT(TABLE_NAME) 
FROM    INFORMATION_SCHEMA.TABLES 
WHERE   TABLE_NAME = @Table

IF (@Exists = 1)
    BEGIN
    PRINT 'Table exists'
    -- Execute dynamic SQL.
    END
ELSE
    PRINT 'Invalid table'

(Or simply use IF EXISTS (SELECT ....) )

HardCode  2009-04-01 03:05:40
Good thinking. I've been doing what follows. Is there any advantage of either? What I've been doing: "IF OBJECT_ID(@table,'U') IS NULL..."
Chris  2009-04-01 03:21:33
A: 

Apparently there's a 128-length limit to quotename(), even in 2008 according to my test, since it expects a SQL identifier. The reference suggests creating a quotestring() function, which does the same thing as:

REPLACE(@variable,'''','''''')

Therefore I am proposing that the answer is to create a function out of the REPLACE() above, like so:

CREATE FUNCTION quotestring(@string nvarchar(MAX)) 
RETURNS nvarchar(MAX) AS
BEGIN
    RETURN(REPLACE(@string,'''',''''''))
END

...Unless I've misunderstood something.

Chris  2009-04-01 16:07:44
Can you pass an nvarchar(MAX) as a parameter like that?
Scott Whitlock  2009-04-01 17:21:27
Sure, why not? It's now an operating function in my dev. environment. :)
Chris  2009-04-01 19:15:42

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?