0

I see there are forums about this question, but everywhere, I fail to see the answer I am looking for.

I have a stored procedure which its purpose is to execute dynamic SQL statement. It uses a cursor which makes it a single point where only a single REPLACE() is made. Here is, simply, how at the end it goes.

Here is a sample of my approach:

DECLARE @myVariable VARCHAR(128) = 'something''; DELETE DATABASE '
DECLARE @mySQL VARCHAR(8000)
SELECT TOP 1 @mySQL = REPLACE('SELECT * FROM myTable t WHERE t.myColumn = ' + @myVariable + ''', '''', '''''')

EXEC (@mySQL)
// Result:
// SELECT * FROM myTable t WHERE t.myColumn = 'something''''; DELETE DATABASE'

There is no way I can find that this method can be bypassed. Now I know there are a lot of answers to that questions and that it is already gone through. But every answer to it I find FAILS to answer IN HOW WAY one would SUCCESSFULLY string inject ANYTHING through this. I know that parameterized expressions are a best practice but it IS NOT an answer to this.

I want a SINGLE example on how one could successfully string inject anything through that gate.

Improve this question
4
  • Welcome to the community. Why don't you just use prepared statements?.. Commented Dec 10, 2023 at 12:41
  • I put all dynamic queries in a table before executing into a cursor, these are processed in a single query insert with REPLACE(, '''', ''''''), and I don't see any way of using the prepared statements in that matter. Commented Dec 10, 2023 at 12:44
  • I'm not sure but replacing I think it not the best idea because you can strip away something which ends up executing in the end... Commented Dec 10, 2023 at 13:08
  • I guess the structure has to be thought a better perspective to include prepared statements. You are right, running after inputs is a bad design to start with. Commented Dec 11, 2023 at 16:53

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.