What is the Sql server equivalent for Oracle DBMS_ASSERT?

Question

What is the Sql server equivalent for Oracle DBMS_ASSERT?

DBMS_ASSERT is one of the keys to preventing SQL injection attacks in Oracle. I tried a quick look ... is there an SQL Server 2005/2008 equivalent for this feature?

I am looking for a specific implementation that has an analogue of all the relevant elements of the Oracle DBMS_ASSERT package.

NOOP
SIMPLE_SQL_NAME
QUALIFIED_SQL_NAME
SCHEMA_NAME

I know the best practices for preventing injection ... bind variables ... being one of them.
But on this question, I'm specifically looking for a good way to sanitize input ... in scripts where bind-variables were not used.

Do you have any specific features?
Is there a library that is actually an Oracle SQL Server port?

+3

sql oracle sql-injection sql-server

Shankar R10N 11 . '09 22:05

6

, EXECuting .

sp_executesql .

, SQL- .

EDIT: , . sp_execute, sp_executesql; : SQL Server.

EDIT2: sp_executesql

+2

Patonza 18 . '09 20:29

, , TSQLAssert TSQLMacro, TSQL. .

TSQLAssert - TSQLMacro. , , ++ - . TSQLAssert - , , .

+2

user195488 23 . '09 20:02

" ". :

1. 2., '' ' , SQL.

0

Aaron Bertrand 11 . '09 22:15

- DBMS_ASSERT Sql Server, . , PROC, .

Microsoft - , .

0

Marius Burz 12 . '09 0:15

, SQL SERVER DBMS_ASSERT.

SQL Injection

0

priyanka.sarkar 12 . '09 10:14

Chris J · Accepted Answer · 2009-11-25T16:26:53+0000

, , - QUOTENAME, (, , SIMPLE_SQL_NAME ENQUOTE_NAME , , . , ( ) .

(, "bob" "database.owner.bob" ), , QUOTENAME , :

QUOTENAME(@database) + '.' + QUOTENAME(@owner) + '.' + QUOTENAME(@tableName)

, DB_NAME() , :

DB_NAME() + '.' + QUOTENAME(@owner) + '.' + QUOTENAME(@tablename)

:

USER_NAME(OBJECTPROPERTY(OBJECT_ID(@tablename), 'ownerid')))

, , , .

: SQL Server, . UDF, , , , , , sproc sp_ExecuteSQL SQL Server.

What is the Sql server equivalent for Oracle DBMS_ASSERT?

More articles: