Unless you’re new to database administration / development, you’ve probably heard of SQL Injection. A devious-minded meanie with T-SQL skills deliberately types a bit of code into someone’s website or customer-facing application, and either deletes or steals all sorts of data. These types of attacks have been around for at least seven years, maybe longer. In that time, companies have worked hard to prevent this nastiness. One of Microsoft’s solution is the SQL Server function called QUOTENAME(), available in SQL Server 2005 and up.
I love QUOTENAME(). This fun and easy-to-use function should be a staple in every bit of code. But I’m getting ahead of myself. Here’s a brief exercise to demonstrate how nasty SQL Injection can be.
SQL Meanie works for ABC Company as an analyst. He’s recently got wind that there will be cuts due to the economy and he knows he’s on the chopping block. So he wants to do a little damage before he goes. There’s a tool in which he can enter a customer name and get the details for that customer. What he wants, though, is to know all the tables in the system so he can start his rampage of destruction.
/* First we create our table */
EDIT: Livejournal is not very T-SQL blog friendly, even with the WordPress code plugin I’m using.
