T-SQL, string injection, REPLACE(@myVariable, ””, ”””) approach? Once and for all
I see there are forums about this question, but everywhere, I fail to see the answer I am looking for.
I have a stored procedure which its purpose is to execute dynamic SQL statement. It uses a cursor which makes it a single point where only a single REPLACE() is made. Here is, simply, how at the end it goes.
Here is a sample of my approach:
DECLARE @myVariable VARCHAR(128) = 'something''; DELETE DATABASE '
DECLARE @mySQL VARCHAR(8000)
SELECT TOP 1 @mySQL = REPLACE('SELECT * FROM myTable t WHERE t.myColumn = ' + @myVariable + ''', '''', '''''')
EXEC (@mySQL)
// Result:
// SELECT * FROM myTable t WHERE t.myColumn = 'something''''; DELETE DATABASE'
There is no way I can find that this method can be bypassed. Now I know there are a lot of answers to that questions and that it is already gone through. But every answer to it I find FAILS to answer IN HOW WAY one would SUCCESSFULLY string inject ANYTHING through this. I know that parameterized expressions are a best practice but it IS NOT an answer to this.
I want a SINGLE example on how one could successfully string inject anything through that gate.
