SQL Server Security – What Function Quotes an Identifier in Dynamic SQL?

Securitysql serversql-injection

What is the SQL Server method of safe-quoting identifiers for dynamic sql generation.

MySQL has quote_identifier
PostgreSQL has quote_ident

How do I ensure given a dynamically generated column name for a dynamically generated statement that the column itself isn't a SQL-injection attack.

Let's say I have a SQL Statement,

SELECT [$col] FROM table;

which is essentially the same as

'SELECT [' + $col + '] FROM table;'

What stops an injection attack where

$col = "name] FROM sys.objects; \r\n DROP TABLE my.accounts; \r\n\ --";

Resulting in

SELECT [name] FROM sys.objects;
DROP TABLE my.accounts;
-- ] FROM table;

Best Answer

The function that you're looking for is QUOTENAME!

Through the practical use of square bracket technology, you can safely encapsulate strings to aid in the prevention of hot SQL injection attacks.

Note that just sticking square brackets around something does not safely quote it out, though you can avoid your code erroring with invalid characters in object names.

Good code

DECLARE @sql NVARCHAR(MAX) = N''
SELECT @sql = 'SELECT ' + QUOTENAME(d.name) + ' FROM your_mom'
FROM sys.databases AS d

Bad code

DECLARE @sql NVARCHAR(MAX) = N''
SELECT @sql = 'SELECT [' + d.name + '] FROM your_mom'
FROM sys.databases AS d

To give a specific example...

The following works fine for the initial input

DECLARE @ObjectName SYSNAME = 'sysobjects';

DECLARE @dynSql NVARCHAR(MAX) = 'SELECT COUNT(*) FROM [' + @ObjectName + ']';

EXEC (@dynSql);

But with malicious input it is vulnerable to SQL injection

DECLARE @ObjectName SYSNAME = 'sysobjects];SELECT ''This is some arbitrary code executed. It might have dropped a table or granted permissions''--'

DECLARE @dynSql NVARCHAR(MAX) = 'SELECT  COUNT(*)  FROM [' + @ObjectName + ']';

EXEC (@dynSql);

Using QUOTENAME correctly escapes the embedded ] and prevents the attempted SQL injection from happening.

DECLARE @ObjectName SYSNAME = 'sysobjects];SELECT ''This is some arbitrary code executed. It might have dropped a table or granted permissions''--'

DECLARE @dynSql NVARCHAR(MAX) = 'SELECT  COUNT(*)  FROM ' + QUOTENAME(@ObjectName);

EXEC (@dynSql);

Invalid object name 'sysobjects];SELECT 'This is some arbitrary code executed. It might have dropped a table or granted permissions'--'.

Related Solutions

Sql-server – Imitate ‘dynamic’ columns in SQL Server

I used your approach two years ago for a similar problem, it works fairly well, except a bit pain with linq to sql (or entity framework), plus WinForm:

We created a few updatable views for each type of entity (or customer as per your sample) but linq to sql could not cope well with updatable views, or probably it's not the case now.

Now we used a different approach:

In the main table, we will have a column named Descriminator (something like UserType),

then for each type of entity, we will have its delegated table (extended from the main table), which uses same PrimaryKey as the main table - so of course, a foreign constraint refer back to the main table (i.e. Primary Key and foreign key on the same field), and the delegated table will have the specific columns related to that user type.

it works well too, and with this, we can take the advantage of entityframework's inheritance feature.

that's just my experience, so my suggestion is to write some small test apps to test out your approach(es) and evaluate. then get the best that has good performance and also suits your framework for UI.

Mysql – Am I using the ORDER BY clause incorrectly

Here is a sample in sqlfiddle-

The syntax for the select statment is the following

SELECT
    ...
    [ORDER BY {col_name | expr | position}
      [ASC | DESC], ...]
    ...

in the statement

SELECT * FROM table_name where id='2' order by 7 and '1';

7 and '1' must be interpreted as expression by the parser: 7 is the integer 7 and not a row position in the select list. The manual says

Logical AND. Evaluates to 1 if all operands are nonzero and not NULL,

so the expresion evaluates to 1