tags:

views:

690

answers:

2
+1  Q: 

SQL Encode string parameter so special characters work

I would like to be able to add a new SQL LOGIN and name it after a person email address. For example "[email protected]". When I pass this to the following stored procedure I get an error (error follows procedure).

The stored proc:

CREATE PROCEDURE [Forms].[AddLogin]
    @Email nvarchar(2048),
    @TenantPassword nvarchar(2048)
AS
BEGIN
    -- SET NOCOUNT ON added to prevent extra result sets from
    -- interfering with SELECT statements.
    SET NOCOUNT ON;

    EXEC('CREATE LOGIN ' + @Email + ' WITH PASSWORD = ''' + @TenantPassword + ''', DEFAULT_DATABASE = DunderMifflin')
END

The Error:

Msg 102, Level 15, State 1, Line 1
Incorrect syntax near '.'.

I'm sure all I need to do is encode the parameter somehow. Any help? If I add a user via the SQL Manager wizard I can specify email addresses so I know that it is a valid Login name.

+2  A: 

You should be able to surround it with square brackets, as detailed here:

EXEC('CREATE LOGIN [' + @Email + '] WITH PASSWORD = ''' + @TenantPassword + ''', DEFAULT_DATABASE = DunderMifflin')
Chad Birch  2009-05-11 22:26:57
+1 Nice catch. This may still fail when your password is not complex enough, so you might want to provide a return value!
Andomar  2009-05-11 22:42:45
Note this will fail when there is an apostrophe in the password!
BradC  2009-05-11 22:50:40
Assuming he hadn't already escaped it, yes. That's outside the scope of his question, but the link in my answer goes over some techniques for avoiding that possibility.
Chad Birch  2009-05-11 22:56:39
Thanks for the tip adding the square brackets worked.
Justin  2009-05-12 02:05:08
A: 

Obligatory injection warning: Whatever you do, please don't pass the user's password directly into this routine!! What if the user entered a password of 

bill');DROP DATABASE DunderMifflin;--

and then you are basically executing the statement:

CREATE LOGIN [email protected] WITH PASSWORD = 'bill');
DROP DATABASE DunderMifflin;
-- ''', DEFAULT_DATABASE = DunderMifflin')

and that's not good.

BradC  2009-05-11 22:59:32
Totally agree and am aware of this problem. So what do you suggest to secure it?
Justin  2009-05-12 02:06:14
Actually looks like there are lots of suggestions in the link provided above by Chad.
Justin  2009-05-12 02:10:22
yes, Chad's link does contain some good suggestions. just wanted to bring this vulnerability to the forefront if you weren't already aware of the risk.
BradC  2009-05-12 13:47:03

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?