Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there a way to prevent SQL Server from Validating the SQL in a stored procedure during CREATE / ALTER

Tags:

validation

sql-server

stored-procedures

linked-server

One aspect of our system requires our SQL Server instance to talk to a MySQL Server via a linked Server Connection.

MSSQL -> LinkedServer(MSDASQL ODBC Provider) -> MySQL ODBC Connector -> MySQL DB

The Table on the linked server is called in a SPROC along the lines of

CREATE PROCEDURE DoStuff
AS

SELECT a.ID, a.Name, b.OtherProperty
FROM   MyDatabase..MyTable a
JOIN   LINKSRVR...OtherTable b
ON     a.ID = b.ID

GO

The problem is that the MySQL database lives on another network, only accessible by VPN & that the CREATE or ALTER statement breaks with the following error unless the VPN is active.

The OLE DB provider "MSDASQL" for linked server "LINKSRVR" reported an error. 
 The provider did not give any information about the error.

Cannot initialize the data source object of OLE DB provider 
"MSDASQL" for linked server "LINKSRVR".

Is there anyway to force SQL Server to just go ahead and create the SPROC with the SQL I tell it and not to try and validate if the LinkedServer is up/down.

like image 456
Eoin Campbell Avatar asked Sep 26 '11 16:09

Eoin Campbell

People also ask

Do stored procedures prevent SQL injection?

Stored procedures only directly prevent SQL injection if you call them in a paramerized way. If you still have a string in your app with the procedure name and concatenate parameters from user input to that string in your code you'll have still have trouble.

How can we prevent SQL injection in dynamic query in SQL Server?

In general, to prevent SQL injection, we should use parameterized queries in C# code or the stored procedures. Since we focus on the stored procedures, let's look into them. An unsafe way of writing stored procedure to execute SQL dynamic queries: Create Procedure GetData(@input varchar(350))

Can stored procedure be altered?

Explanation. Modifying or ALTERing a stored procedure is pretty simple. Once a stored procedure has been created it is stored within one of the system tables in the database that is was created in. When you modify a stored procedure the entry that was originally made in the system table is replaced by this new code.

Does Quotename prevent SQL injection?

Yes, things haven't changed much in this area, you should be using quotename for any SQL server object names that are used in dynamic SQL (especially if they are supplied externally to your code). As well as SQL injection mitigation this also means your code will work correctly for non standard identifier names.

1 Answers

You'd have to "hide" the offending SQL from the compiler by placing it in a string and executing it as dynamic SQL.

like image 146
Joe Stefanelli Avatar answered Oct 12 '22 12:10

Joe Stefanelli
Sign in to Comment

Related questions

best default collation of a multilingual database
query plan shows cost of 54% for an insert when no rows actually involved
SQL Server (SQLEXPRESS) and SQL Server Agent (SQLEXPRESS)
Cursors vs. While loop - SQLServer
Check if it is safe to delete a row
Common Dialog for selecting a SQL Server and getting login details?
SQL Server 2008 search double byte characters
MSSQL: Unable to create relationships for two foreign keys to the same table?
Aggregate function that selects the value of a column that corresponds to another successful aggregate functions match
best practices to implement hashing?
SQL Server non-clustered index design
SQL Server WITH clause
In T-SQL under MS SQL Server 2008, what does '@' mean in front of a parameter *value* that's a string literal?
XQUERY - How to use the sql:variable in 'value()' function?
Conditional sort order in SQL Server windowed function clauses
SQL Server case/collation issue
SQL Query for YTD, MTD, WTD totals
SQL server join vs subquery performance question
Why does linked view give different results from MS Access vs SQL Manager?
Sql Server Agent job running longer than interval between executions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!