Dynamic SQL - Exec and SP_ExecuteSQL with SQL Injection and Query Plans
-
Upload
aaron-buma -
Category
Software
-
view
354 -
download
0
Transcript of Dynamic SQL - Exec and SP_ExecuteSQL with SQL Injection and Query Plans
Dynamic SQL
Presented by Aaron Buma
Session OverviewWhat is Dynamic SQL“SQL Injection” + “ ; DROP TABLE”“EXEC” – Adhoc and Sprocs SP_EXECUTESQL
What is Dynamic SQL
What is Dynamic SQL
Dynamic SQL
Demo
What is SQL InjectionModifying a SQL Statement to run malicious
SQL Commands. A possibility when user-entered fields are
concatenated into a SQL Statement
What is SQL InjectionA user injects malicious SQL that drops the
table:
First Run
Second Run
SQL Injection
Demo
Execution using: EXEC (“query”)Most often used for executing sprocs
Parameters available for Sprocs, you can’t parameterize queriesVulnerable to SQL injection when concatenating
Does not use Query Plan Cache
EXEC under the hood
Demo
Execution using: SP_EXECUTESQLAllows for parameters
They must have a defined data typeProtects against SQL Injection
The execution plan is compiled and cached: re-usable!
SP_ExecuteSQL
Demo
Questions?What is Dynamic SQL“SQL Injection” + “ ; DROP TABLE”“EXEC” – Adhoc and Sprocs SP_EXECUTESQL