stackoom
  简体   繁体   中英

How do I efficiently escape special characters in T-SQL?

 原文  2015-10-19 22:32:35       sql/ sql-server/ tsql/ escaping/ sql-injection

Question

IF NOT EXISTS (select * from sys.server_principals where lower([name]) =lower('DOMAIN\t''acct'))
BEGIN
  CREATE LOGIN [DOMAIN\t'acct] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
END

The above code works correctly. My question is, is there a way to efficiently use placeholders so that I can pass in the same account and use in both the places when I have special characters?

IF NOT EXISTS (select * from sys.server_principals where lower([name]) =lower('$(account)'))
BEGIN
  CREATE LOGIN [$(account)] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
END

where I would just replace $(account) with DOMAIN\\t''acct or DOMAIN\\t'acct?

replacing with the former works only for the first replacement and says

CREATE LOGIN [DOMAIN\t''acct] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
Windows NT user or group 'DOMAIN\t''acct' not found. Check the name again.

for the create login statement.

And for the latter, I cannot just replace with t'acct as that would be incorrectly escaped. Doing it with a box throws this error:

select * from sys.server_principals where lower([name]) = lower([DOMAIN\t'acct])
Invalid column name 'DOMAIN\t'acct'.

Any additional pointers to prevent sql injection would be helpful. I'm considering accounts such as DOMAIN\\'tacct as well (input is validated as valid windows user as well as domain format (contains \\ in the name)).

2 answers

solution1
 1  2015-10-20 11:53:22

To prevent sql injection it is better to use parameterized query instead of using placeholders, I think.

To make CREATE LOGIN statement work with sql parameter you will have to use dynamic sql. Function QUOTENAME will help you escape login name properly. In this case your sql code could look like:

if not exists(select * from sys.server_principals where lower([name]) = lower(@loginName))
begin
    declare @sql nvarchar(max);
    set @sql =
        'CREATE LOGIN ' + quotename(@loginName) +
        ' FROM WINDOWS WITH DEFAULT_DATABASE = [master]';

    exec sp_executesql @sql;
end

where @loginName is the parameter that you should supply.

solution2
 0  2015-10-20 12:14:16

仅在选择查询中使用 SQL 替换功能在传递占位符时将 ' 替换为 ''

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What special characters I should escape in T-SQL strings? How do I escape special characters in user input for a SQL LIKE? How do I escape all special characters in Access Jet SQL? patindex t-sql special characters How do you escape special characters in SQL Where clause? How do I efficiently group data in a hierarchical format in T-SQL? How to Escape special characters in Microsoft SQL CE How to escape special characters used in SQL query? dynamic sql and how to escape special characters? How do I pivot this in T-SQL?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM