Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to prevent SQL Server from Validating the SQL in a stored procedure during CREATE / ALTER

One aspect of our system requires our SQL Server instance to talk to a MySQL Server via a linked Server Connection.

MSSQL -> LinkedServer(MSDASQL ODBC Provider) -> MySQL ODBC Connector -> MySQL DB

The Table on the linked server is called in a SPROC along the lines of

CREATE PROCEDURE DoStuff
AS

SELECT a.ID, a.Name, b.OtherProperty
FROM   MyDatabase..MyTable a
JOIN   LINKSRVR...OtherTable b
ON     a.ID = b.ID

GO

The problem is that the MySQL database lives on another network, only accessible by VPN & that the CREATE or ALTER statement breaks with the following error unless the VPN is active.

The OLE DB provider "MSDASQL" for linked server "LINKSRVR" reported an error. 
 The provider did not give any information about the error.

Cannot initialize the data source object of OLE DB provider 
"MSDASQL" for linked server "LINKSRVR".

Is there anyway to force SQL Server to just go ahead and create the SPROC with the SQL I tell it and not to try and validate if the LinkedServer is up/down.

like image 456
Eoin Campbell Avatar asked Sep 26 '11 16:09

Eoin Campbell


People also ask

Do stored procedures prevent SQL injection?

Stored procedures only directly prevent SQL injection if you call them in a paramerized way. If you still have a string in your app with the procedure name and concatenate parameters from user input to that string in your code you'll have still have trouble.

How can we prevent SQL injection in dynamic query in SQL Server?

In general, to prevent SQL injection, we should use parameterized queries in C# code or the stored procedures. Since we focus on the stored procedures, let's look into them. An unsafe way of writing stored procedure to execute SQL dynamic queries: Create Procedure GetData(@input varchar(350))

Can stored procedure be altered?

Explanation. Modifying or ALTERing a stored procedure is pretty simple. Once a stored procedure has been created it is stored within one of the system tables in the database that is was created in. When you modify a stored procedure the entry that was originally made in the system table is replaced by this new code.

Does Quotename prevent SQL injection?

Yes, things haven't changed much in this area, you should be using quotename for any SQL server object names that are used in dynamic SQL (especially if they are supplied externally to your code). As well as SQL injection mitigation this also means your code will work correctly for non standard identifier names.


1 Answers

You'd have to "hide" the offending SQL from the compiler by placing it in a string and executing it as dynamic SQL.

like image 146
Joe Stefanelli Avatar answered Oct 12 '22 12:10

Joe Stefanelli