8/9/2023 0 Comments Exec t sql![]() The Transact-SQL statement or batch can contain embedded parameters.Įxec: Executes a command string or character string within a Transact-SQL batch, or one of the following modules: system stored procedure, user-defined stored procedure, CLR (common language runtime) stored procedure, scalar-valued user-defined function, or extended stored procedure. Sp_executesql: Executes a Transact-SQL statement or batch that can be reused many times, or one that has been built dynamically. Otherwise, if your code gets deployed to a case sensitive instance, it will all start failing.įirst of all lets check what both commands mean: SQL injection is a pretty big deal, and plenty of other people have written about it too.įinally, be sure when you call system procedures that you use the proper casing to match what's stored in sys.all_objects - it should be all lower case. Protecting Yourself from SQL Injection in SQL Server - Part 2.Protecting Yourself from SQL Injection in SQL Server - Part 1.I also wrote about protecting yourself from SQL injection here: Bad Habits to Kick : Using EXEC() instead of sp_executesql.Why use EXEC() some of the time when you should be using sp_executesql whenever you have parameters? EXEC() forces you to concatenate all of your variables into a single string, and this makes it ripe for abuse. ![]() ![]() This is mostly a preference due to security and consistency, and has nothing to do with performance (though that may have been more of a concern in ancient versions of SQL Server). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |